On Wed, 29 Dec 1999, Taneli Huuskonen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > "Todd C. Miller" <Todd.Millerat_private> wrote: > > > For those using perl 5.x, you can use sysopen() instead of the "magic" > > perl open() to fix this. > > I'm afraid that wouldn't help much, as you can supply any pathname as > the -C (configuration file) argument: > > /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl > > I tested this with version 1.94.1, but the same behaviour seems to be > there in 1.94.4, as far as I can tell by the source. > > Taneli Huuskonen > There are numerous holes in majordomo's scripts. Most of them allow you to specify an alternate .cf file, and that file is executed as majordomo.daemon or majordomo.majordomo. A FreeBSD box I was doing testing on had it running as group daemon, as INSTALL suggested, and because mrtg was group daemon and 775 instead of 755 (I'm not sure if that's how mrtg is installed by default) and mrtg is crontabbed to run as root every 5 minutes, this tiny hole in majordomo gives root to any local users. To continue using majordomo I recommend a) fixing the open() hole Brock Tellier found, and b) removing the ability to specify an alternate .cf file from all the majordomo scripts. Is there a safe way to allow users to specify an alternate majordomo.cf? - Coolio
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:24:39 PDT