Thanks to nnposter <[EMAIL PROTECTED]> for catching and helping with solving this.
This is a minor security issue. Repeat minor. It does not affect the baseline ntop, only a script we provide for running in RedHat and similar /etc/init.d/ based environments. This script IS used in the .rpm files posted at SourceForge. You are only at risk IF - and ONLY IF - BOTH of the following conditions are true: 1) You use the startup script in packages/RedHat/ntop.init (i.e. the RPMs posted at SourceForge) AND 2) Your /etc/ntop.conf is writable by users other than root (for example to allow them to change the -B "filter" expression). If you meet those conditions, you should update your script to the new version in the cvs. Mitigation: * Condition #2 represents a very bad practice. If ANY of your configuration files in /etc are world-writable, you probably have lots of other security problems. * There are some odd limits on what you can execute. Meaning it's not something you are going to trip over by accident. Still, the present script does allow for somewhat arbitrary code to be executed as root during ntop startup. It would cause ntop to fail to start, but the code would have already been executed by that point. So it should be fixed. Also: If you run multiple instances of ntop, especially if you want to use different code bases, you should also update. The script now has explicit support and instructions for this. Look for: # Modify this to run multiple instances of ntop instance="" # Modify this if ntop is somewhere else or you want to run sntop, etc. prog="/usr/bin/ntop" And # If you need to specify a LD_LIBRARY_PATH, use this: #ldlibpath="/xxxxx/lib/ntop/:/xxxxx/lib/ntop/plugins/:/xxxxx/lib/plugins/" For the full set of changes: cvs diff -U3 -r 1.7 -r 1.9 packages/RedHat/ntop.init -----Burton _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
