[Mono-bugs] [Bug 77340][Maj] Changed - Local user can overwrite arbitrary file using mono-service
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Mon Jul 31 12:06:56 EDT 2006
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by pawel.sakowski at mindbreeze.com.
http://bugzilla.ximian.com/show_bug.cgi?id=77340
--- shadow/77340 2006-07-30 15:09:51.000000000 -0400
+++ shadow/77340.tmp.26503 2006-07-31 12:06:56.000000000 -0400
@@ -1,12 +1,12 @@
Bug#: 77340
Product: Mono: Tools
Version: 1.1
OS: GNU/Linux [Other]
OS Details:
-Status: RESOLVED
+Status: REOPENED
Resolution:
Severity: Unknown
Priority: Major
Component: tools
AssignedTo: mono-bugs at ximian.com
ReportedBy: pawel.sakowski at mind-breeze.com
@@ -67,6 +67,24 @@
------- Additional Comments From miguel at ximian.com 2006-07-30 15:09 -------
Fixed by using O_EXCL in the open call
You can also use the -l: argument to specify the lockfile
+
+------- Additional Comments From pawel.sakowski at mindbreeze.com 2006-07-31 12:06 -------
+Using O_EXCL barely fixes the bug.
+
+It may happen that /etc/shadow is kept open at all times by another
+process, in which case that very file becomes invulnerable to the
+attack. However, the many other files that are crucial for the system
+or its users might easily open even exclusively. /etc/ld.so.conf,
+/bin/true, /etc/rc.d/rc.sysinit, /etc/fstab,
+/root/.ssh/authorized_keys, /var/mail/anygivenuser,
+/home/anyuser/importantdocument.sxw -- pick your target and corrupt
+its contents with a quick symlink attack.
+
+I am aware that -l: can be used to pick a lock location that isn't as
+insecure as /tmp. However, I believe that if the default invocation of
+mono-service opens a security hole (due to reckless usage of /tmp), it
+is something that should be fixed or, at the very least, the openness
+to attacks should be documented in block letters.
More information about the mono-bugs
mailing list