|
Message-ID: <20111201214004.GA19622@altlinux.org>
Date: Fri, 2 Dec 2011 01:40:04 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: [owl-cvs] Owl/packages/rpm
On Mon, Jul 25, 2011 at 05:35:15AM +0400, Owl CVS (solar) wrote:
> Update of /Owl/packages/rpm
>
> Modified Files:
> rpm.spec
> Added Files:
> rpm-4.2-owl-remove-unsafe-perms.diff
> Log Message:
> Added a patch to remove unsafe file permissions (chmod'ing files to 0) on
> package removal or upgrade to prevent continued access to such files via
> hard-links possibly created by a user (CVE-2005-4889, CVE-2010-2059).
There is a risk to get into big trouble with this change, because
hardlinked files could be legally created by packages without any user
intervention. For example, our screen package hardlinks
/usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter to
/usr/libexec/screen/, and only by sheer luck (we happily have a %preun
script that removes these /usr/libexec/screen/* files) screen package
removal does not lead to zeroing permissions of
/usr/libexec/chkpwd/tcb_chkpwd and /usr/libexec/utempter/utempter.
Those who rely on rpm to remove %ghost files may some day be trapped by
this hardening feature.
I actually got trapped after porting it to Sisyphus where permissions of
several system config files including /etc/nsswitch.conf were zeroed after
removing a chrooted daemon.
--
ldv
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.