Package: uucp
Version: 1.07-24
Severity: normal
In an environment where ulimit -n is 1048576 (as is, for instance, the
case for Docker and most likely other environments that don't have
ulimit/rlimits set by something like systemd-system), most UUCP
programs (including even uulog) try to close nearly all 1048576
possible fds. The culprit code appears to be in unix/init.c:
/* Close everything but stdin, stdout and stderr. */
#if HAVE_GETDTABLESIZE
cdescs = getdtablesize ();
#else
#if HAVE_SYSCONF
cdescs = sysconf (_SC_OPEN_MAX);
#else
It's pretty gratuituous to try to do such a thing these days,
especially since we have things like CLOEXEC and such now. I would
suggest a sanity check, such that if cdescs is > 1024, to just set it
down to 1024, for instance. I'm having a hard time coming up with a
scenario in which this would represent a security issue.
-- System Information:
Debian Release: 10.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages uucp depends on:
ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1
ii cron 3.0pl1-134
ii cu 1.07-24
ii libc6 2.28-10
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii mailutils [mailx] 1:3.5-3
ii netbase 5.6
ii openbsd-inetd [inet-superserver] 0.20160825-4
Versions of packages uucp recommends:
ii exim4 4.92-8+deb10u3
ii logrotate 3.14.0-4
uucp suggests no packages.
-- Configuration Files:
/etc/uucp/call [Errno 13] Permission denied: '/etc/uucp/call'
/etc/uucp/passwd [Errno 13] Permission denied: '/etc/uucp/passwd'
-- no debconf information
