[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnats/501: GNATS - gen-index
|
From: |
Adam Zabrocki |
|
Subject: |
Re: gnats/501: GNATS - gen-index |
|
Date: |
Tue, 28 Jun 2005 11:34:06 +0200 |
Thank awfully for response...
In most gnats instalation we creat new user (gnats probaly :))
and group (probably gnats too:)). The real problem (for me) is
that when binaries have sgid/suid user (in this situaction user
gnats) privilages we can overwrote binary files for gnats system
and all system will crash. When someone installed gnats with suid
root privilages that is worse but i don't think wheter it is
'real' problem...
Best regards...
Dnia 27-06-2005 o godz. 18:47 Chad Walstrom napisał(a):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> address@hidden wrote:
> > Issue: GNATS - the GNU problem report management system allows
> > attacker to overwrite files with privileges suid root (when
compiled
> > from sources and there isn't in system ... Btw. When gnats was
> > instaled with suid gnats privilages you can overwrite gnats
files.
>
> The old Makefile.in definitely sets the suid bit for executables
> regardless of what user id the tools are installed with. This
stems
> from the old-style tools that manipulated PR files directly on the
> filesystem. This definitely needs cleanup.
>
> The non-patch solution for this problem is to advise users to
remove
> the suid bit from GNATS applications and run them through sudo
if run
> on local databases, to use gnatsd on a local network interface, and
> finally, to re-install with an unprivileged user.
>
> The patch solution for this problem is to remove the suid bit
from the
> chmod lines in the old Makefile.in files and instruct users how to
> operate without these "conveniences". With utilities like sudo and
> ssh with public-key authentication, one does not need suid/sgid to
> operate on local databases.
>
> Note, Debian packages do not suffer from this vulnerability. There
> are no suid binaries in either gnats or gnats-user packages, and an
> unprivileged user is created for gnatsd.
>
> I'm not familiar with RPM packages for GNATS, so I cannot
comment on
> those. I also don't know how FreeBSD or NetBSD might have GNATS
> configured in the PORTS systems. It may be that this problem only
> surfaces when someone downloads and installs the software manually
> without creating an unprivileged user.
>
> GNATS does not need to run with root privileges for any operation.
> The TCP port used is above the traditional privileged ports (<
1024),
> and only other consideration is filesystem permissions. One can
> certainly work around these restrictions w/o using the
suid/sgid bit.
>
> > GNATS 4.1.0 and 4.0 are confirmed vulnerable. Probably all
previous
> > versions are also vulnerable.
>
> Probably everything <= 4.1.0.
>
> > Fix: Check id for file and user who run program. Open the file by
> > function open() with flag O_EXCL to protect to race condition
bug."
>
> I'll take a look at the open function you quote. To keep
changes as
> minimal as possible, we'll change the current Makefile.in files so
> that if the install user is root and/or uid 0, then the suid bit is
> not set.
>
> In 4.2.x, the Makefile.in files are being replaced with
> automake/autoconf build system, which should handle the application
> permissions sanely (i.e. w/o suid). Whenever possible, we
should not
> set suid on binaries, and I'll make certain this is observed in the
> new build system.
>
> - --
> Chad Walstrom <address@hidden>
http://www.wookimus.net/
> assert(expired(knowledge)); /* core dump */
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFCwC19DMcLGCBsWv0RAuJrAJ0UH08TQpmJG5GKkC9k++mdUl2aKgCgqGDL
> uoFcAh95EOD0wpHix4sBVwg=
> =gGQq
> -----END PGP SIGNATURE-----
> --
> Chad Walstrom <address@hidden>
http://www.wookimus.net/
> assert(expired(knowledge)); /* core dump */
>
--
pi3 (pi3ki31ny) - pi3ki31ny wp pl
http://www.pi3.int.pl
----------------------------------------------------
OMNIXMAIL! Jeśli masz telefon w sieci Era i dostęp do WAP, to możesz
na komórce odbierać pocztę ze wszystkich swoich kont e-mail i kiedy
chcesz! Usługę OMNIXMAIL znajdziesz w Era Omnix w zakładce
Między Nami:
http://klik.wp.pl/?adr=http%3A%2F%2Fwww.eraomnix.pl%2Fpl%2Fbetween-us%2Femail&sid=414