[Mono-bugs] [Bug 77340][Maj] New - Local user can overwrite arbitrary file using mono-service

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Tue Jan 24 08:01:03 EST 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by pawel.sakowski at mind-breeze.com.


--- shadow/77340	2006-01-24 08:01:03.000000000 -0500
+++ shadow/77340.tmp.15251	2006-01-24 08:01:03.000000000 -0500
@@ -0,0 +1,45 @@
+Bug#: 77340
+Product: Mono: Tools
+Version: 1.1
+OS: GNU/Linux [Other]
+OS Details: 
+Status: NEW   
+Priority: Major
+Component: tools
+AssignedTo: mono-bugs at ximian.com                            
+ReportedBy: pawel.sakowski at mind-breeze.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: Local user can overwrite arbitrary file using mono-service
+Description of Problem:
+mono-service's way of creating pid/lock files, combined with the default
+location in /tmp, makes the system vulnerable to a symlink attack by any
+local user.
+The pid files should either be created in a fashion that avoids following
+existing symlinks, or the default location should not be world-writable on
+a typical system (or both).
+Steps to reproduce the problem:
+1. (as an unprivileged user) ln -s /etc/shadow /tmp/foo.exe.lock
+2. (as root) mono-service foo.exe (for any foo.exe)
+3. cat /etc/shadow
+Actual Results:
+Expected Results:
+How often does this happen? 
+Always. The pid in /etc/shadow obviously varies.
+Additional Information:
+Both FHS 2.3 section 5.13 and LSB 3.1 Core section 20.8 specify the
+non-world-writable /var/run/basename.pid as the standard pid file location.

More information about the mono-bugs mailing list