Description of problem: /etc/rc.sysinit makes | find -L /var/lock /var/run ! -type d -exec rm -f {} \; at every start. It is common practice to have daemon-writable subdirs below /var/run or /var/lock (e.g. /var/run/openldap). When such a daemon is compromised, an attack could create a | /var/run/openldap/foo -> / symlink which wipes whole system at next startup. Version-Release number of selected component (if applicable): initscripts-8.76.2-1.x86_64 How reproducible: 100% Steps to Reproduce: 1. mkdir /var/run/foo 2. chown nobody:nobody /var/run/foo 3. runuser nobody -s /bin/sh 'ln -s / /var/run/foo/bar' 4. reboot Actual results: a lot of 'command not found' errors on startup Additional info: Kudos to Herbert Poetzl about discovering this vulnerability.
initscripts-8.76.3-1 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/initscripts-8.76.3-1
initscripts-8.76.3-1 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update initscripts'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-7667
initscripts-8.76.3-1 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.