Hi,
> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file. The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
hmm you did inform the xinetd maintainer in the first place, right?
an update for Suse Linux distributions is available at ftp.suse.com.
> BTW here's the patch:
your patch leaves xinted still vulnerable.
Here's the one we issued (which was also sent to the maintainer).
It's hard to secure a create-or-append open call, anyone with an
idea for a standard solution?
[This patch leave xinetd vulnerable if /tmp is not sticky, so it's
not 100% without changing the design or location of how the dump
should be done. But a system without a sticky /tmp is a problem anyway]
--- internals.c.orig Wed Jan 24 20:32:46 1996
+++ internals.c Thu Nov 12 11:18:39 1998
@@ -8,6 +8,7 @@
#include <sys/types.h>
#include <sys/stat.h>
+#include <unistd.h>
#ifdef linux
#include <sys/time.h>
#endif
@@ -54,9 +55,24 @@
time_t current_time ;
register int fd ;
register unsigned u ;
+ struct stat stat ;
char *func = "dump_internal_state" ;
- dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ;
+ dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ;
+ if ( dump_fd == -1 )
+ {
+ if ( lstat( dump_file, &stat) != 0)
+ {
+ msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
+ return ;
+ }
+ if (stat.st_uid != getuid())
+ {
+ msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ;
+ return ;
+ }
+ dump_fd = open( dump_file, O_WRONLY + O_APPEND) ;
+ }
if ( dump_fd == -1 )
{
msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
Greets,
Marc
--
Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marcat_private Function: Security Support & Auditing
issue a "finger marcat_private | pgp -fka" for my public pgp key
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:06 PDT