Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 14 Dec 2012 18:16:04 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Simon ." <bofh666ftw@...glemail.com>
Subject: Re: pacemaker strcmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/13/2012 09:37 AM, Simon . wrote:
> Hi,
> 
> I might have overlooked something. Starting from Line 39, if
> pacemaker is compiled with ACL support:
> 
> https://github.com/ClusterLabs/pacemaker/blob/master/include/crm_internal.h#L39
>
>  Once a user root\0bar is created, and CRM_DAEMON_USER is #undef we
> can return TRUE. Haven't looked into further details here and I
> think no sane admin will ever allow such a user. What do you guys
> think?
> 
> 
> 
> /* For ACLs */ char *uid2username(uid_t uid); void
> determine_request_user(char *user, xmlNode * request, const char
> *field);
> 
> # if ENABLE_ACL # include <string.h> static inline gboolean 
> is_privileged(const char *user) { if (user == NULL) { return
> FALSE; } else if (strcmp(user, CRM_DAEMON_USER) == 0) {
> <------------- #undef ? return TRUE; } else if (strcmp(user,
> "root") == 0) { <------------------- err return TRUE; } return
> FALSE; } # endif
> 

Can attackers create their own user names or do admins have to create
the accounts (I know nothing about this software)? Also can you
confirm that "root\0bar actually allows ACL bypass with the
application in production? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQy89UAAoJEBYNRVNeJnmT+ZgP/RKlc9LyyfMlIPbeuJqOJSuB
CWWvUuYJWQfhIfniOLyxfDQtU+Bp+LkNyM4Mk5cfxDgLu4bCN4cClWBGTnbvcuDp
VRH0NOfOhNRf7TlZ5UAMzop5EMU1+3mb1XNA15EaxmShikKew98CabiArolSWpge
Y/2eZ5KoxdgHCFRwzWm2NjYGh4KFzgjQY5YkNfYCRuEhMDLAo9zq9gGlREYyHQ2c
SGxEg8jGhnsPF6voAqvZ6wXXMg3s2XmRmEFwC7erTvaPXQ5XNoW3amkEVrDBgeeo
DrMCCiYtiV2exUSxg55+MxlFQyzsp2u8bBxnHCK2bN7r/ZRt/IrLiva8EGn6ANwa
ge1wX3t+MwXZ0iZCjMNtqtK6XpRGfDlAb4nv403fS9waUI+6f/b8YzqooDGdc+SN
on/wX1NJ2HT30Q5d68cSGSK82N1/kl+QolyX9Q5jyAqxCHLyT8psLt9BXsFjH1K9
0eCIFOgoHNEQeh92MgHzQ1ynkPTRQSqIvXvpOyjZ1sdf+gT93jrRxqydV7/nBK7P
Hyt6MdJggBDTai259onIfbjTYavTsio1X1efrvAjxDrfa2HULvXW9QwrWPyUKzg4
JMC0RYzhoUeWg/yhnrUdPjwXuQwp04tzxeNjHWC25Cxs3OHVnBZL4Cbh3/74qt0Q
zvcBlk+wHZFb2njR4hhG
=7JbE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.