Re: security: version update: version 0.1.14 beta-17
Hi Robert, What's this: postfix/policyd-weight[18125]: warning: cache: err: cache: chdir /tmp/.policyd-weight/: No such file or directory at /usr/sbin/policyd-weight line 2948, GEN8330 line 100 That's with beta-17, yet # ls -ld /tmp/.policyd-weight/ drwx-- 2 polw polw 4096 2008-03-29 14:09 /tmp/.policyd-weight/ So No such message yet such a directory? That directory in this case has been recreated by policyd-weight - I misread your workaround suggestion as instructions to go ahead and delete it. Maybe if I hadn't it wouldn't be broken? Thanks, Whit On Fri, Mar 28, 2008 at 04:16:29PM +0100, Robert Felber wrote: Hello, policyd-weight still did not check the working directory correctly. 1st: I assumed [ -L /foo/bar ] is the same as [ -L /foo/bar/ ] because the -L tells the file test what to look for. But in the latter form it is checked with S_IFDIR. We normalize the path with File::Spec-canonpath as s,/+$,, is not sufficient. 2nd: policyd-weight didn't check the ownership of real directories which might have been resulted in a race attack. Policyd-weight once gets the stat/lstat and reuses that information in order to provide some sort of atomicity of the check_symlnk() sub-routine. MD5 (policyd-weight)= 68373b7cfeda52b78df6229ed658771e SHA256 (policyd-weight) = 4245495685e516e00a363a97aaa17456f48c51fcbdb4458989a9d68db64083bc MD5 (policyd-weight-0.1.14.17.tar.gz) = c90128d2442ba343e8127dc0dbdcfd9a SHA256 (policyd-weight-0.1.14.17.tar.gz)= c13bac397cbd8c018b41686da4e4ce9450fb045752d7f0ab518d9836b39dbf36 -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/ Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: security: version update: version 0.1.14 beta-17
On Sat, Mar 29, 2008 at 02:12:20PM -0400, Whit Blauvelt wrote: Hi Robert, What's this: postfix/policyd-weight[18125]: warning: cache: err: cache: chdir /tmp/.policyd-weight/: No such file or directory at /usr/sbin/policyd-weight line 2948, GEN8330 line 100 A misguiding log-message. Following patch makes it not more clear, but more correct. --- old/policyd-weight Fri Mar 28 15:55:22 2008 +++ new/policyd-weight Sat Mar 29 20:50:44 2008 @@ -2945,7 +2945,8 @@ # change directory to $LOCKPATH in order to get some # coredumps just in case. -chdir $LOCKPATH/cores/cache or die cache: chdir $LOCKPATH: $!; +chdir $LOCKPATH/cores/cache or die +cache: chdir $LOCKPATH/cores/cache: $!; mylog(info='cache spawned'); Manually killing policyd-weight implies to kill the cache instance. The way to completely shut down policyd-weight is policyd-weight -k stop This doesn't work anymore if the directory has been deleted, in such cases you need to do a ps xauww | grep policyd-weight and kill the pids by verifying that it is a policyd-weight process. Policyd-weight needs completely to be shut down _before_ you change the $LOCKPATH config parameter. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: security: version update: version 0.1.14 beta-17
On Fri, 28 Mar 2008, Robert Felber wrote: 1st: I assumed [ -L /foo/bar ] is the same as [ -L /foo/bar/ ] because the -L tells the file test what to look for. But in the latter form it is checked with S_IFDIR. If you have a trailing slash, Linux follows the symbolic link and runs lstat on what the link points to, not the link itself. You can demonstrate the same behavior with ls: [EMAIL PROTECTED] ~/tmp $ mkdir foo [EMAIL PROTECTED] ~/tmp $ ln -s foo bar [EMAIL PROTECTED] ~/tmp $ touch foo/baz [EMAIL PROTECTED] ~/tmp $ ls -l bar lrwxrwxrwx 1 henson henson 3 Mar 28 16:21 bar - foo [EMAIL PROTECTED] ~/tmp $ ls -l bar/ total 0-rw-r--r-- 1 henson henson 0 Mar 28 16:21 baz Interestingly, other operating systems display different behavior. For example, under Solaris 8: $ ls -l bar/ lrwxrwxrwx 1 henson csupomona 3 Mar 28 15:20 bar/ - foo I'm not sure which is the more correct behavior... Also, the S_IFDIR output from strace isn't an argument to lstat, it's the return value of the lstat call. 2nd: policyd-weight didn't check the ownership of real directories which might have been resulted in a race attack. Policyd-weight once gets the stat/lstat and reuses that information in order to provide some sort of atomicity of the check_symlnk() sub-routine. There are still race conditions present in the code. It is rather difficult to securely create files/directories in a world writable directory. If you are running on a multiuser system, it's probably best to have the lock directory someplace writable only by the service user. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768 Policyd-weight Mailinglist - http://www.policyd-weight.org/