Hi, > If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but > this method isn't checked against /tmp, and it happily overwrites anything > in the place of that file. The package has been released in 1997, IMHO this > is too old to have a bug of this kind hidden. hmm you did inform the xinetd maintainer in the first place, right? an update for Suse Linux distributions is available at ftp.suse.com. > BTW here's the patch: your patch leaves xinted still vulnerable. Here's the one we issued (which was also sent to the maintainer). It's hard to secure a create-or-append open call, anyone with an idea for a standard solution? [This patch leave xinetd vulnerable if /tmp is not sticky, so it's not 100% without changing the design or location of how the dump should be done. But a system without a sticky /tmp is a problem anyway] --- internals.c.orig Wed Jan 24 20:32:46 1996 +++ internals.c Thu Nov 12 11:18:39 1998 @@ -8,6 +8,7 @@ #include <sys/types.h> #include <sys/stat.h> +#include <unistd.h> #ifdef linux #include <sys/time.h> #endif @@ -54,9 +55,24 @@ time_t current_time ; register int fd ; register unsigned u ; + struct stat stat ; char *func = "dump_internal_state" ; - dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ; + dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ; + if ( dump_fd == -1 ) + { + if ( lstat( dump_file, &stat) != 0) + { + msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ; + return ; + } + if (stat.st_uid != getuid()) + { + msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ; + return ; + } + dump_fd = open( dump_file, O_WRONLY + O_APPEND) ; + } if ( dump_fd == -1 ) { msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ; Greets, Marc -- Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marcat_private Function: Security Support & Auditing issue a "finger marcat_private | pgp -fka" for my public pgp key
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:06 PDT