Bug 435442 (CVE-2008-0884) - CVE-2008-0884 system-auth-ac is world-writable
Summary: CVE-2008-0884 system-auth-ac is world-writable
Alias: CVE-2008-0884
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steve Grubb
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-29 11:53 UTC by Mark J. Cox
Modified: 2019-09-29 12:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-04-24 11:11:41 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0193 0 normal SHIPPED_LIVE Important: lspp-eal4-config-ibm and capp-lspp-eal4-config-hp security update 2008-04-01 14:26:50 UTC

Description Mark J. Cox 2008-02-29 11:53:20 UTC
The CAPP/LSPP config script causes a world-writable file for both IBM and HP 

Detailed report in next comment

Comment 1 Mark J. Cox 2008-02-29 11:55:48 UTC
Unfortunately, using the shipped RHEL5 kickstart configuration RPM
results in an insecure configuration, the /etc/pam.d/system-auth file is
set to be world writable.

The potential impact of this is serious, since unauthorized changes to
this file can disable or weaken the system's authentication methods,
including remote access. Authorized users with limited privileges could
exploit this to gain additional access, and it could also be an
escalation method for other vulnerabilities in low-privilege services.

As a mitigating factor, the MLS SELinux policy prohibits write access to
the PAM files for normal users in LSPP mode. In CAPP mode, the targeted
policy does allow write access for normal users. Also, just installing
the RPM does not change any permissions, the capp-lspp-config script
needs to run (normally as part of the kickstart-based installation) to do

The following is a more detailed explanation of the cause and my attempt
to track down the history of the changes resulting in the insecure
configuration - a proposed workaround patch for the kickstart config
script is below that.

The reason for the bad permissions is that the "Replace" shell function
in the capp-lspp-config script copies the permissions from the original
file when installing the CC evaluation specific ones based on information
returned from the stat(1) command, and unfortunately by default this
command uses the lstat(2) system call which does not follow symlinks -
the "-L" flag is needed to dereference them.

The "Replace" function had worked fine for RHEL3 and RHEL4 since none of
the affected files were symlinks. In RHEL5, /etc/pam.d/system-auth is a
symlink to the /etc/pam.d/system-auth-ac file, and the script now sets
the permissions to "777" based on the result of running stat(1) on the

The authconfig RPM introduced the symlink during RHEL5 development,
apparently based on https://bugzilla.redhat.com/show_bug.cgi?id=165342 to
support local PAM config changes more easily.

A workaround for the issue in the kickstart script would be adding the
"-L" flag to the stat(1) call to avoid this and related issues in the

Comment 2 Mark J. Cox 2008-02-29 11:56:31 UTC
Proposed fix

--- a/lspp-config/bin/capp-lspp-config.in
+++ b/lspp-config/bin/capp-lspp-config.in
@@ -1065,8 +1065,8 @@ Replace() {
          return 0
      Log "Archiving $DEST"
-     MODE=$(stat -c '%a'    $DEST)
-     UG=$(  stat -c '%U.%G' $DEST)
+     MODE=$(stat -L -c '%a'    $DEST)
+     UG=$(  stat -L -c '%U.%G' $DEST)
      expr $DEST : /etc/init.d >/dev/null || {
             # don't store backups inside /etc/init.d
          Archive $DEST

Comment 4 Mark J. Cox 2008-04-01 14:25:33 UTC
removing embargo

Comment 5 Red Hat Product Security 2008-04-24 11:11:41 UTC
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.