[Mono-bugs] [Bug 77340][Maj] Changed - Local user can overwrite arbitrary file using mono-service

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Jul 31 12:06:56 EDT 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by pawel.sakowski at mindbreeze.com.


--- shadow/77340	2006-07-30 15:09:51.000000000 -0400
+++ shadow/77340.tmp.26503	2006-07-31 12:06:56.000000000 -0400
@@ -1,12 +1,12 @@
 Bug#: 77340
 Product: Mono: Tools
 Version: 1.1
 OS: GNU/Linux [Other]
 OS Details: 
-Status: RESOLVED   
+Status: REOPENED   
 Severity: Unknown
 Priority: Major
 Component: tools
 AssignedTo: mono-bugs at ximian.com                            
 ReportedBy: pawel.sakowski at mind-breeze.com               
@@ -67,6 +67,24 @@
 ------- Additional Comments From miguel at ximian.com  2006-07-30 15:09 -------
 Fixed by using O_EXCL in the open call
 You can also use the -l: argument to specify the lockfile
+------- Additional Comments From pawel.sakowski at mindbreeze.com  2006-07-31 12:06 -------
+Using O_EXCL barely fixes the bug.
+It may happen that /etc/shadow is kept open at all times by another
+process, in which case that very file becomes invulnerable to the
+attack. However, the many other files that are crucial for the system
+or its users might easily open even exclusively. /etc/ld.so.conf,
+/bin/true, /etc/rc.d/rc.sysinit, /etc/fstab,
+/root/.ssh/authorized_keys, /var/mail/anygivenuser,
+/home/anyuser/importantdocument.sxw -- pick your target and corrupt
+its contents with a quick symlink attack.
+I am aware that -l: can be used to pick a lock location that isn't as
+insecure as /tmp. However, I believe that if the default invocation of
+mono-service opens a security hole (due to reckless usage of /tmp), it
+is something that should be fixed or, at the very least, the openness
+to attacks should be documented in block letters.

More information about the mono-bugs mailing list