Description of problem: The lockdev uses /var/lock/lockdev for locking instead of /var/lock (introduced in #581884). /var/lock/lockdev contains only device locks that are world writeable using lockdev utility. This directory should be world writeable (1777) directly. Version-Release number of selected component (if applicable): lockdev-1.0.3-8.fc15
Package lockdev-1.0.3-9.fc15: * should fix your issue, * was pushed to the Fedora 15 updates-testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-9.fc15' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15 then log in and leave karma (feedback).
lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lockdev'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/lockdev-1.0.3-9.fc15
lockdev-1.0.3-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This is a gaping security hole. We do not want to allow normal users to fill up /var or /var/run. We do not want a any further /tmp with unrestricted access to the user. With this in place normal users can fill up the fs trivially thus making it impossible for system software to lock things. Additional world-writable directories are really not acceptable. Access to this directory should be allowed only through the lockdev setgid tool and the lock dir should be writable to the group "lock" only, so that random people cannot write things here uncontrolled. The lockdev utility should ensure that only valid device names. Reopening.
Also, the dir cannot be sticky: https://bugzilla.redhat.com/show_bug.cgi?id=145264#c1
Discussed at the 2011-04-01 blocker bug review meeting. We feel that this is not a serious enough security issue to be a beta blocker. Rejected as blocker for F15Beta, will be re-visited as a final blocker.
Thanks for the description Lennart, I'll revert the change and also remove the /etc/tmpfiles.d/lockdev.conf completely (bug #692714).
lockdev-1.0.3-10.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15
Package lockdev-1.0.3-10.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lockdev-1.0.3-10.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/lockdev-1.0.3-10.fc15 then log in and leave karma (feedback).
(BTW, sorry for sounding that harsh in my first comment)
Discussed at 2011-04-15 blocker review meeting. On criteria, this is a non-blocker, as we don't have security criteria, though we maybe should. On its merits, we still feel probably not a blocker, as it's a local DoS vuln, and we've shipped releases with enough of those in the past; most general-purpose Linux distros don't really commit, practically speaking, to trying really hard to ensure there are absolutely no local DoS holes in a default install. So, accepted NTH, rejected blocker. We could discuss this in more detail in a generic discussion of potential security criteria. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
lockdev-1.0.3-10.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.