[Mono-bugs] [Bug 77340][Maj] Changed - Local user can overwrite arbitrary file using mono-service

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Wed Aug 30 06:13:20 EDT 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by joergr at voelcker.com.


--- shadow/77340	2006-07-31 12:06:56.000000000 -0400
+++ shadow/77340.tmp.13924	2006-08-30 06:13:20.000000000 -0400
@@ -85,6 +85,25 @@
 I am aware that -l: can be used to pick a lock location that isn't as
 insecure as /tmp. However, I believe that if the default invocation of
 mono-service opens a security hole (due to reckless usage of /tmp), it
 is something that should be fixed or, at the very least, the openness
 to attacks should be documented in block letters.
+------- Additional Comments From JoergR at voelcker.com  2006-08-30 06:13 -------
+Sorry, that I haven't found this bug until now.
+Some thoughts about this:
+Would it improve security to open the file using OpenFlags.O_NOFOLLOW?
+This should prevent symlink attacks. Putting the lock file to /var/run
+as default seems also reasonable to me. 
+To Alp: The redirection happens to avoid any console output. This
+should run as/like a daemon shouldn't it? Any error messages of
+mono-service go to the system log. When mono-service was still C code
+the forking was done inside the daemon. This was factored out to the
+shell script because it could not be easily done in C#. As someone
+with not much shell scripting experience I don't know what you mean
+with "The
+shell script is a total hack. It's unsupportable and should not ship
+in its current state." Do you have any suggestions for improvement of
+this script?

More information about the mono-bugs mailing list