Bug 476529 - (CVE-2008-6755) CVE-2008-6755 zoneminder: default permissions of zm.conf
CVE-2008-6755 zoneminder: default permissions of zm.conf
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: zoneminder (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Ebourne
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-15 08:22 EST by Tomas Hoger
Modified: 2009-04-27 18:08 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-07 04:26:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-12-15 08:22:38 EST
While checking Gentoo bug:

  http://bugs.gentoo.org/show_bug.cgi?id=250715

I noticed that zoneminder in Fedora defaults to apache:apache 600 for /etc/zm.conf.  Therefore, Fedora defaults does now allow reading the config file directly using cat or vim.  chmod o-r is probably not much of a fix in setups where local users can run own php or cgi scripts with web server privileges.

However, in such setups, Fedora default seems even worse, as any php or cgi can actually modify the config (and at least break DB connectivity).

In similar cases, where some daemon user needs read access to certain config file, root:<daemon_group> 640 is more common.  Please check if changing:

%config(noreplace) %attr(600,%{zmuid_final},%{zmgid_final}) %{_sysconfdir}/zm.conf

to

%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm.conf

makes sense for ZM.
Comment 1 Fedora Update System 2008-12-15 16:47:40 EST
zoneminder-1.23.3-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/zoneminder-1.23.3-2.fc10
Comment 2 Fedora Update System 2008-12-21 03:46:57 EST
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zoneminder'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11484
Comment 3 Fedora Update System 2009-01-07 04:26:35 EST
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Vincent Danen 2009-04-27 18:08:33 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6755 to
the following vulnerability:

Name: CVE-2008-6755
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6755
Assigned: 20090427
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=476529
Reference: FEDORA:FEDORA-2008-11484
Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00204.html

ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to
the apache user account, and sets the permissions to 0600, which makes
it easier for remote attackers to modify this file by accessing it
through a (1) PHP or (2) CGI script.

Note You need to log in before you can comment on or make changes to this bug.