[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnats/501: GNATS - gen-index

From: Adam Zabrocki
Subject: Re: gnats/501: GNATS - gen-index
Date: Tue, 28 Jun 2005 11:34:06 +0200

Thank awfully for response...

In most gnats instalation we creat new user (gnats probaly :))
and group (probably gnats too:)). The real problem (for me) is
that when binaries have sgid/suid user (in this situaction user
gnats) privilages we can overwrote binary files for gnats system
and all system will crash. When someone installed gnats with suid
root privilages that is worse but i don't think wheter it is
'real' problem...

Best regards...

Dnia 27-06-2005 o godz. 18:47 Chad Walstrom napisał(a):
> Hash: SHA1
> address@hidden  wrote:
> > Issue: GNATS - the GNU problem report management system allows
> > attacker to overwrite files with privileges suid root (when
> > from sources and there isn't in system ...  Btw. When gnats was
> > instaled with suid gnats privilages you can overwrite gnats
> The old definitely sets the suid bit for executables
> regardless of what user id the tools are installed with.  This
> from the old-style tools that manipulated PR files directly on the
> filesystem.  This definitely needs cleanup.
> The non-patch solution for this problem is to advise users to
> the suid bit from GNATS applications and run them through sudo
if run
> on local databases, to use gnatsd on a local network interface, and
> finally, to re-install with an unprivileged user.
> The patch solution for this problem is to remove the suid bit
from the
> chmod lines in the old files and instruct users how to
> operate without these "conveniences".  With utilities like sudo and
> ssh with public-key authentication, one does not need suid/sgid to
> operate on local databases.
> Note, Debian packages do not suffer from this vulnerability.  There
> are no suid binaries in either gnats or gnats-user packages, and an
> unprivileged user is created for gnatsd.
> I'm not familiar with RPM packages for GNATS, so I cannot
comment on
> those.  I also don't know how FreeBSD or NetBSD might have GNATS
> configured in the PORTS systems.  It may be that this problem only
> surfaces when someone downloads and installs the software manually
> without creating an unprivileged user.
> GNATS does not need to run with root privileges for any operation.
> The TCP port used is above the traditional privileged ports (<
> and only other consideration is filesystem permissions.  One can
> certainly work around these restrictions w/o using the
suid/sgid bit.
> > GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all
> > versions are also vulnerable.
> Probably everything <= 4.1.0.
> > Fix: Check id for file and user who run program. Open the file by
> > function open() with flag O_EXCL to protect to race condition
> I'll take a look at the open function you quote.  To keep
changes as
> minimal as possible, we'll change the current files so
> that if the install user is root and/or uid 0, then the suid bit is
> not set.
> In 4.2.x, the files are being replaced with
> automake/autoconf build system, which should handle the application
> permissions sanely (i.e.  w/o suid).  Whenever possible, we
should not
> set suid on binaries, and I'll make certain this is observed in the
> new build system.
> - -- 
> Chad Walstrom <address@hidden> 
>            assert(expired(knowledge)); /* core dump */
> Version: GnuPG v1.4.1 (GNU/Linux)
> uoFcAh95EOD0wpHix4sBVwg=
> =gGQq
> -- 
> Chad Walstrom <address@hidden> 
>            assert(expired(knowledge)); /* core dump */

pi3 (pi3ki31ny) - pi3ki31ny wp pl

OMNIXMAIL! Jeśli masz telefon w sieci Era i dostęp do WAP, to możesz
na komórce odbierać pocztę ze wszystkich swoich kont e-mail i kiedy
chcesz! Usługę OMNIXMAIL znajdziesz w Era Omnix w zakładce 
Między Nami:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]