Please do not reply to this email- if you want to comment on the bug, go to the URL shown below and enter your comments there.
Changed by [EMAIL PROTECTED] http://bugzilla.ximian.com/show_bug.cgi?id=77340 --- shadow/77340 2006-07-30 15:09:51.000000000 -0400 +++ shadow/77340.tmp.26503 2006-07-31 12:06:56.000000000 -0400 @@ -1,12 +1,12 @@ Bug#: 77340 Product: Mono: Tools Version: 1.1 OS: GNU/Linux [Other] OS Details: -Status: RESOLVED +Status: REOPENED Resolution: Severity: Unknown Priority: Major Component: tools AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] @@ -67,6 +67,24 @@ ------- Additional Comments From [EMAIL PROTECTED] 2006-07-30 15:09 ------- Fixed by using O_EXCL in the open call You can also use the -l: argument to specify the lockfile + +------- Additional Comments From [EMAIL PROTECTED] 2006-07-31 12:06 ------- +Using O_EXCL barely fixes the bug. + +It may happen that /etc/shadow is kept open at all times by another +process, in which case that very file becomes invulnerable to the +attack. However, the many other files that are crucial for the system +or its users might easily open even exclusively. /etc/ld.so.conf, +/bin/true, /etc/rc.d/rc.sysinit, /etc/fstab, +/root/.ssh/authorized_keys, /var/mail/anygivenuser, +/home/anyuser/importantdocument.sxw -- pick your target and corrupt +its contents with a quick symlink attack. + +I am aware that -l: can be used to pick a lock location that isn't as +insecure as /tmp. However, I believe that if the default invocation of +mono-service opens a security hole (due to reckless usage of /tmp), it +is something that should be fixed or, at the very least, the openness +to attacks should be documented in block letters. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
