Bug 34933 - netreport function in network-scripts seems to be insecure
netreport function in network-scripts seems to be insecure
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-04-05 21:12 EDT by lumpy_
Modified: 2014-03-16 22:20 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-06 12:00:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description lumpy_ 2001-04-05 21:12:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386)

it seems that netreport and the network-scripts allow arbitrary pid killing

Reproducible: Didn't try
Steps to Reproduce:

	from man 7 signal:
1.      SIGIO       23,29,22     A      I/O now possible (4.2 BSD)
      The letters in the  "Action"  column  have  the  following

       A      Default action is to terminate the process.

(note that on bsd the sigio is discarded by default)

2. ls -l /sbin/netreport
        -rwxr-sr-x    1 root     root         3860 Mar 13 14:41
(which creates pid files in /var/run/netreport/
        drwxrwxr-x    2 root     root         4096 Apr  5 18:17 netreport
(which has files such as this created when you run it)
        ----------    1 lumpy    root            0 Apr  5 18:15 19769
        ----------    1 lumpy    root            0 Apr  5 18:17 19968
(note that the pid file is not removed automagically.  i tested this by
 executing sh, running netreport, exiting the shell, and ls'ing again)

These files are apparently used by:
3. /etc/sysconfig/network-scripts/network-functions

this script contains the following function:

do_netreport ()
  # Notify programs that have requested notification
  ( cd /var/run/netreport || exit
    for i in * ; do
      [ -f $i ] && \
        kill -SIGIO $i >/dev/null 2>&1 || \
          rm -f $i >/dev/null 2>&1

So it looks like you should be able to kill arbitrary processes.

Im new to linux, but not unix.  I have to rely on the manpages, as this
box is not mine and i really dont want to crash it.  What do you guys
think?  Is this a known issue that i just didnt know about?

Actual Results:  i couldnt test -- couldnt kill the box because it was in

Expected Results:  that arbitrary processes created with pids from stale
netreports would be killed
Comment 1 Daniel Roesen 2001-04-06 04:15:02 EDT
Yep. I agree to the analysis. You don't have control over which process gets
killed, but it's serious anyway I think. But sadly I see no workaround :-(
Comment 2 lumpy_ 2001-04-06 11:35:08 EDT
There is one way that you could do it easilly but im not sure it would fully
resolve the
security issues.  (Note that i just woke up :)):

	If you set your user id to that of the user who created the file before killing
	process... that way when its not your process it wont let you send SIGIO.
Comment 3 Bill Nottingham 2001-04-06 14:03:46 EDT
Will be fixed in 5.83-1.

Note You need to log in before you can comment on or make changes to this bug.