Bug 9538 - nscd runs as root, and any user can crash it
Summary: nscd runs as root, and any user can crash it
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nscd
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-02-18 01:02 UTC by wingc
Modified: 2008-05-01 15:37 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2000-07-16 17:12:01 UTC


Attachments (Terms of Use)

Description wingc 2000-02-18 01:02:14 UTC
There are a few bugs in the nscd program included with glibc 2.1:

- the default action for a nscd request if the request type is unknown is
to abort(). As far as I can tell, this means that anyone can crash the nscd
daemon by sending a request with a type that nscd does not understand.

- nscd does not call setsid() when starting up as a daemon. This means that
if root logs in and starts it, nscd will hold onto that controlling TTY
until it is hung up.

- nscd runs as root. This isn't necessary. It would be nice if it could be
run as its own unprivileged user.


I have a patch that implements fixes for all three of these:

http://www.engin.umich.edu/caen/systems/Linux/code/patches/nscd-security.patch

Adding the following %post/%preun scripts to the glibc spec file will
create the nscd user that would be needed to run nscd as non-root:


%post -n nscd
/sbin/chkconfig --add nscd
/usr/sbin/useradd -c "nscd caching daemon" \
	-s /bin/false -r -d / nscd 2>/dev/null

%preun -n nscd
if [ $1 = 0 ] ; then
    /sbin/chkconfig --del nscd
    /usr/sbin/userdel nscd 2>/dev/null
    /usr/sbin/groupdel nscd 2>/dev/null
fi



I've sent these suggestions to the author of nscd but haven't received a
response yet.


Thanks,

Chris Wing
wingc@engin.umich.edu

Comment 1 Cristian Gafton 2000-05-22 15:41:59 UTC
assigned to jakub

Comment 2 Pekka Savola 2000-07-16 17:11:59 UTC
Still an issue w/ nscd-2.1.91-2 from Rawhide.



Comment 3 Jakub Jelinek 2000-08-24 07:36:23 UTC
Fixed in glibc-2.1.92


Note You need to log in before you can comment on or make changes to this bug.