[Mono-bugs] [Bug 77340][Maj] Changed - Local user can overwrite arbitrary file using mono-service

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Sun Jul 30 08:43:53 EDT 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by alp at atoker.com.


--- shadow/77340	2006-02-13 07:11:05.000000000 -0500
+++ shadow/77340.tmp.12280	2006-07-30 08:43:53.000000000 -0400
@@ -2,13 +2,13 @@
 Product: Mono: Tools
 Version: 1.1
 OS: GNU/Linux [Other]
 OS Details: 
 Status: NEW   
+Severity: Unknown
 Priority: Major
 Component: tools
 AssignedTo: mono-bugs at ximian.com                            
 ReportedBy: pawel.sakowski at mind-breeze.com               
 QAContact: mono-bugs at ximian.com
 TargetMilestone: ---
@@ -45,6 +45,23 @@
 non-world-writable /var/run/basename.pid as the standard pid file location.
 ------- Additional Comments From pawel.sakowski at mind-breeze.com  2006-02-13 07:11 -------
 Created an attachment (id=16482)
 A proposed minimalist solution (using /var/run instead of /tmp, no improvement in lockfile creation style)
+------- Additional Comments From alp at atoker.com  2006-07-30 08:43 -------
+It seems that no Mono developer is willing to maintain this code. The
+shell script is a total hack. It's unsupportable and should not ship
+in its current state.
+I just helped someone who was trying to use mono-service (the shell
+script) on a production server. After looking at the script, I noticed
+that it redirects all output including standard error to /dev/null --
+this is also no good.
+This critical security bug has been open for six months without
+getting assigned or commented on, so I'll be happy to remove the
+script from the install target in a couple of days if there's no
+further comment as it seems to be unmaintained, and no changes have
+been made since my 2006-04-21 fixes.

More information about the mono-bugs mailing list