Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 7 Sep 2017 08:38:23 -0400
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Cc: Daniel Kahn Gillmor <dkg@...thhorseman.net>
Subject: Re: CVE-2017-12847: nagios-core privilege escalation
 via PID file manipulation

On 09/06/2017 05:15 PM, Daniel Kahn Gillmor wrote:
> 
> But i think future reports of problems with pidfiles (e.g. your helpful
> cleanup of mimedefang -- thanks!)  should always include the suggestion
> to disable pidfiles entirely and to encourage developers who must
> implement them to ensure that they're only an extra feature, for use
> with otherwise limited service managers, and perhaps to be compile-time
> disabled.
> 

I've been reluctant to do this because I'm approaching these as an
OpenRC user, and OpenRC has the ability to supervise the daemon. I
always hate it when someone makes a suggestion (at my expense) that
amounts to "I don't need this, so you don't need this" -- and I don't
want to be /that/ guy.

I think a compile-time option is reasonable, though. Maybe the ability
to fork into the background should also be compiled out in that case.
When I encounter more of these, I'll provide a list of possible
solutions and include "get rid of the PID file" along with its trade-offs.

Most of the PID file vulnerabilities that I've found are in the
distribution init scripts: the only ones that hit this list are the
upstream projects that make it impossible for the distro developers to
get it right. Curiously though, a lot of the problems that I've found in
the distro scripts are for daemons that run in the foreground and are
supposed to be supervised.

Basically, there are two accepted approaches. Forking,

  1. Daemon forks
  2. Daemon writes a PID file
  3. Daemon drops privileges

And supervised:

  4. Daemon runs in the foreground, and does nothing special

What I've found is that many programs choose any old subset of (1)
through (4), and implement them in any order. As a result, init script
authors haven't developed a feel for the right way to do things; they
copy/paste snippets from other init scripts until things seem to work.

I've found services that run with *two* PID files, one of which is
ignored. I've found services that go out of their way to give away
ownership of /run/foo, even though /run/foo/foo.pid is created and owned
by root. Pretty much any way you can go wrong has made an appearance at
least once, and all of these are for daemons that should be supervised
-- the service scripts should be trivial.

Anyway, my point is, it may be optimistic to think that we can help
people not do weird things in their service scripts =)



Download attachment "signature.asc" of type "application/pgp-signature" (982 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.