Re: security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)

Robert Felber
Fri, 28 Mar 2008 02:19:46 -0700

On Fri, Mar 28, 2008 at 09:50:45AM +0100, Robert Felber wrote:
> On Fri, Mar 28, 2008 at 09:40:24AM +0100, Robert Felber wrote:
> > On Thu, Mar 27, 2008 at 11:52:17PM +0100, Andrej Kacian wrote:
> > > On Tue, 25 Mar 2008 01:40:31 +0100
> > > Robert Felber <[EMAIL PROTECTED]> wrote:
> > > 
> > > > the new version addresses the issue below. Policyd-weight does now exit 
> > > > if it
> > > > detects symlinks on directories or sockets at startup or directory 
> > > > creation.
> > > 
> > > Hello Robert,
> > > 
> > > I'm afraid 0.1.14.15 doesn't fix the issue reported.
> > > 
> > > By symlinking /tmp/.policyd-weight to /root and starting policyd-weight, 
> > > I was
> > > still able to change ownership of /root directory to user policyd-weight 
> > > is
> > > configured to run as.
> > 
> > Thanks for reporting.
> > 
> > This is weird, and I am a little bit confused:
> > 
> > # perl -wle 'if(-l "/tmp/.policyd-weight"){ print "err" }'
> > err
> > 
> > The question is now, why the same test in policyd-weight is
> > not resulting in a true value.
> 
> 
> strace of policyd-weight:
> lstat("/tmp/.policyd-weight/", {st_mode=S_IFDIR|0700, st_size=512, ...}) = 0
> 
> strace of command line perl:
> lstat("/tmp/.policyd-weight", {st_mode=S_IFLNK|0700, st_size=18, ...}) = 0
> 
> strace of command line perl with trailing slash:
> lstat("/tmp/.policyd-weight/", {st_mode=S_IFDIR|0700, st_size=512, ...}) = 0
> 
> 
> other test:
> 
> # if [ -L /tmp/.policyd-weight ]; then echo err; fi
> err
> # if [ -L /tmp/.policyd-weight/ ]; then echo err; fi
> #
> 
> What the? If I want a check for -d then I'd say so.
> 
> I am a bit puzzled on how to handle this, and - who to blame.
> 
> However, I will strip trailing / as a workaround.


I'll update the releases today.


Patch below:

--- /old/policyd-weight   Tue Mar 25 00:25:39 2008
+++ /new/policyd-weight   Fri Mar 28 10:06:46 2008
@@ -23,9 +23,9 @@
 # see http://spf.pobox.com/
 #
 # AUTHOR:  [EMAIL PROTECTED]
-# DATE:    Mon Mar 24 23:59:00 CET 2008
+# DATE:    Fri Mar 28 10:08:42 CET 2008
 # NAME:    policyd-weight
-# VERSION: 0.1.14 beta-15
+# VERSION: 0.1.14 beta-16
 # URL:     http://www.policyd-weight.org/
 
 
@@ -78,7 +78,7 @@
 
 use vars qw($csock $s $tcp_socket $sock $new_sock $old_mtime);
 
-our $VERSION   = "0.1.14 beta-15";
+our $VERSION   = "0.1.14 beta-16";
 our $CVERSION  = 5;                 # cache interface version
 our $CMD_DEBUG = 0;                 # -d switch 
 our $KILL;                          # -k switch
@@ -3624,7 +3624,13 @@
     my $who = shift;
     for ( @_ )
     {
-        if( -l $_ )
+
+        # strip trailing '/'
+        # perl and test(1) ignore the request for -l/-L and
+        # do a lstat with S_IFDIR (added in 0.1.14 beta-16)
+        s/\/+$//;
+
+        if ( -l $_ )
         {
             fatal_exit("$who: $_ is a symbolic link. Symbolic links are not 
expected and not allowed within policyd-weight. Exiting!");
         }


-- 
    Robert Felber (PGP: 896CF30B)
    Munich, Germany

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/

Reply via email to

policyd-weight-list

Re: security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)