Hi, > On Fri, Dec 10, 2010 at 03:10:19AM +0100, Florian Zumbiehl wrote: > > Package: aolserver4 > > Version: 4.5.0-16.1 > > Severity: grave > > Justification: privilege escalation vulnerability > > Tags: security > > --------------------------------------------------------------------------- > > chown -R www-data:www-data $LOGDIR > > chmod 755 $LOGDIR > > --------------------------------------------------------------------------- > > > > Indeed, this code snippet potentially expose to easy file linking abuse > (not necessarily symlinking) by evil scripts. Of course, in order to do > that one has to abuse some tcl adp scripts too before.
Yeah, for most packages this probably is not a remote vulnerability. But after all, there is a reason for not running services as root ;-) > I think the right thing to do is avoiding changing the ownership of > the files, and simply restart the server after rotating. > > chown www-data:www-data $LOGDIR > chmod 755 $LOGDIR > > If the new log file linked a system file, aolserver would fail to > log, plain and clean, else it would create a new file and proceed > (that would be the same with sym or hard links). > > Other apps, such as openacs or dotlrn should do the same in their > own dirs. Well, yeah, there is also a vulnerability due to this maintainer script itself--though I mostly intended to point out the vulnerability in logrotate which could be fixed in such a way that logrotate itself could create new log files without compromising security (which is the case in testing, though with the avoidable regression mentioned). Florian -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
