Michael Scherer reported that the passenger ruby gem, when used in standalone mode, does not use temporary files in a secure manner. In the lib/phusion_passenger/standalone/main.rb's create_nginx_controller function, passenger creates an nginx configuration file insecurely and starts nginx with that configuration file: @temp_dir = "/tmp/passenger-standalone.#{$$}" @config_filename = "#{@temp_dir}/config" If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start an nginx instance with their own configuration file. This could result in a denial of service condition for a legitimate service or, if passenger were executed as root (in order to have nginx listen on port 80, for instance), this could lead to a local root compromise.
I have confirmed this is present in the passenger rubygem 4.0.3 (released May 24, 2013) as well 3.0.17 (the version Fedora 18 ships).
This is now public and fixed in 3.0.21 and 4.0.5: http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/ http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/ The source code fixes are available at: 4.0 series: https://github.com/FooBarWidget/passenger/commit/bfe619eec3a337b4868b9928dc273e70a4a96f37 3.0 series https://github.com/FooBarWidget/passenger/commit/0eaebb00f6b7327374069a7998064c68cc54e9f1
For the 3.0 series, 0eaebb00 is not complete. You also need 56d9d39f.
This issue affects the versions of the rubygem-passenger package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.
Created rubygem-passenger tracking bugs for this issue Affects: epel-6 [bug 968923]
Created rubygem-passenger tracking bugs for this issue Affects: fedora-all [bug 968930]
Acknowledgements: This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 1.2 Via RHSA-2013:1136 https://rhn.redhat.com/errata/RHSA-2013-1136.html