Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Dec 2011 01:40:04 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: [owl-cvs] Owl/packages/rpm

On Mon, Jul 25, 2011 at 05:35:15AM +0400, Owl CVS (solar) wrote:
> Update of /Owl/packages/rpm
> 
> Modified Files:
> 	rpm.spec 
> Added Files:
> 	rpm-4.2-owl-remove-unsafe-perms.diff 
> Log Message:
> Added a patch to remove unsafe file permissions (chmod'ing files to 0) on
> package removal or upgrade to prevent continued access to such files via
> hard-links possibly created by a user (CVE-2005-4889, CVE-2010-2059).

There is a risk to get into big trouble with this change, because
hardlinked files could be legally created by packages without any user
intervention.  For example, our screen package hardlinks
/usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter to
/usr/libexec/screen/, and only by sheer luck (we happily have a %preun
script that removes these /usr/libexec/screen/* files) screen package
removal does not lead to zeroing permissions of
/usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter.
Those who rely on rpm to remove %ghost files may some day be trapped by
this hardening feature.
I actually got trapped after porting it to Sisyphus where permissions of
several system config files including /etc/nsswitch.conf were zeroed after
removing a chrooted daemon.


-- 
ldv

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.