[Mono-bugs] [Bug 77340][Maj] New - Local user can overwrite
arbitrary file using mono-service
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Tue Jan 24 08:01:03 EST 2006
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by pawel.sakowski at mind-breeze.com.
http://bugzilla.ximian.com/show_bug.cgi?id=77340
--- shadow/77340 2006-01-24 08:01:03.000000000 -0500
+++ shadow/77340.tmp.15251 2006-01-24 08:01:03.000000000 -0500
@@ -0,0 +1,45 @@
+Bug#: 77340
+Product: Mono: Tools
+Version: 1.1
+OS: GNU/Linux [Other]
+OS Details:
+Status: NEW
+Resolution:
+Severity:
+Priority: Major
+Component: tools
+AssignedTo: mono-bugs at ximian.com
+ReportedBy: pawel.sakowski at mind-breeze.com
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL:
+Cc:
+Summary: Local user can overwrite arbitrary file using mono-service
+
+Description of Problem:
+mono-service's way of creating pid/lock files, combined with the default
+location in /tmp, makes the system vulnerable to a symlink attack by any
+local user.
+
+The pid files should either be created in a fashion that avoids following
+existing symlinks, or the default location should not be world-writable on
+a typical system (or both).
+
+Steps to reproduce the problem:
+1. (as an unprivileged user) ln -s /etc/shadow /tmp/foo.exe.lock
+2. (as root) mono-service foo.exe (for any foo.exe)
+3. cat /etc/shadow
+
+Actual Results:
+9066
+$1$(...)
+
+Expected Results:
+root:$1$(...)
+
+How often does this happen?
+Always. The pid in /etc/shadow obviously varies.
+
+Additional Information:
+Both FHS 2.3 section 5.13 and LSB 3.1 Core section 20.8 specify the
+non-world-writable /var/run/basename.pid as the standard pid file location.
More information about the mono-bugs
mailing list