[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnats/501: GNATS - gen-index

From: Chad Walstrom
Subject: Re: gnats/501: GNATS - gen-index
Date: Mon, 27 Jun 2005 11:47:10 -0500

Hash: SHA1

address@hidden  wrote:
> Issue: GNATS - the GNU problem report management system allows
> attacker to overwrite files with privileges suid root (when compiled
> from sources and there isn't in system ...  Btw. When gnats was
> instaled with suid gnats privilages you can overwrite gnats files.

The old definitely sets the suid bit for executables
regardless of what user id the tools are installed with.  This stems
from the old-style tools that manipulated PR files directly on the
filesystem.  This definitely needs cleanup.

The non-patch solution for this problem is to advise users to remove
the suid bit from GNATS applications and run them through sudo if run
on local databases, to use gnatsd on a local network interface, and
finally, to re-install with an unprivileged user.

The patch solution for this problem is to remove the suid bit from the
chmod lines in the old files and instruct users how to
operate without these "conveniences".  With utilities like sudo and
ssh with public-key authentication, one does not need suid/sgid to
operate on local databases.

Note, Debian packages do not suffer from this vulnerability.  There
are no suid binaries in either gnats or gnats-user packages, and an
unprivileged user is created for gnatsd.

I'm not familiar with RPM packages for GNATS, so I cannot comment on
those.  I also don't know how FreeBSD or NetBSD might have GNATS
configured in the PORTS systems.  It may be that this problem only
surfaces when someone downloads and installs the software manually
without creating an unprivileged user.

GNATS does not need to run with root privileges for any operation.
The TCP port used is above the traditional privileged ports (< 1024),
and only other consideration is filesystem permissions.  One can
certainly work around these restrictions w/o using the suid/sgid bit.

> GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all previous
> versions are also vulnerable.

Probably everything <= 4.1.0.

> Fix: Check id for file and user who run program. Open the file by
> function open() with flag O_EXCL to protect to race condition bug."

I'll take a look at the open function you quote.  To keep changes as
minimal as possible, we'll change the current files so
that if the install user is root and/or uid 0, then the suid bit is
not set.

In 4.2.x, the files are being replaced with
automake/autoconf build system, which should handle the application
permissions sanely (i.e.  w/o suid).  Whenever possible, we should not
set suid on binaries, and I'll make certain this is observed in the
new build system.

- -- 
Chad Walstrom <address@hidden> 
           assert(expired(knowledge)); /* core dump */
Version: GnuPG v1.4.1 (GNU/Linux)

Chad Walstrom <address@hidden> 
           assert(expired(knowledge)); /* core dump */

reply via email to

[Prev in Thread] Current Thread [Next in Thread]