Hello, attached is a possible patch for that issue. This is just a starting point, as I was not able to test the patch myself. Also, I used 660 as permissions to the file, I'm not sure of whether it's sensible or not.
Please review and test before applying. HTH anyway, Mt. -- Nous avons neuf mois de vie privée avant de naître, ça devrait nous suffire. -- Heathcote Williams, Actuel n°48, novembre 74.
Initial report (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5638) | The sanlock server creates the /var/log/sanlock.log world writable | allowing any one on the system to wipe the contents of the log file or | to store data within the log file (bypassing any quotas applied to | their account). The affected code (in src/log.c) is: | | int setup_logging(void) { | int fd, rv; | snprintf(logfile_path, PATH_MAX, "%s/%s", SANLK_LOG_DIR, | SANLK_LOGFILE_NAME); | logfile_fp = fopen(logfile_path, "a+"); This patch was proposed by Martin Quinson, but not really tested as I don't use sanlock myself. Also, I used 660 as permissions to the file, I'm not sure of whether it's sensible or not. Index: sanlock-2.2/src/log.c =================================================================== --- sanlock-2.2.orig/src/log.c 2012-05-07 17:43:52.000000000 +0200 +++ sanlock-2.2/src/log.c 2012-12-24 22:19:10.437901274 +0100 @@ -252,10 +252,12 @@ snprintf(logfile_path, PATH_MAX, "%s/%s", SANLK_LOG_DIR, SANLK_LOGFILE_NAME); - logfile_fp = fopen(logfile_path, "a+"); - if (logfile_fp) { - fd = fileno(logfile_fp); + fd = open(logfile_path,O_CREAT | O_WRONLY, S_IRUSR|S_IWUSR | S_IRGRP|S_IWGRP); + if (fd != -1) { fcntl(fd, F_SETFD, fcntl(fd, F_GETFD, 0) | FD_CLOEXEC); + logfile_fp = fdopen(fd, "a+"); + } else { + logfile_fp = NULL; } log_ents = malloc(log_num_ents * sizeof(struct entry));
