Package: mailleds
Version: 0.93-11
Severity: important
Tags: security patch
Hi Dennis,
I did a quick security audit of mailleds today and noticed a small but
significant flaw in the way it handles the pidfile. It can be abused
by local users to kill arbitrary processes on the system by making it
create a pidfile with write permission for the user.
It uses fopen() to create the pidfile, which respects the calling user's
umask. If the user calls mailleds with umask of 0, the pidfile will be
created writable for the user with 0666 permission. The user could now
write any pid into it, run mailleds -k and have the process killed.
Someone could use this to eg. kill syslogd.
To fix this, I would suggest adding a call to umask(022) explicitly
before write_pidfile() function gets called. Attached patch to this
effect is compile tested and verified to fix this bug.
cheers,
Max
$ umask 0
$ mailleds -x
$ ls -al /var/run/mailleds-user.pid
-rw-rw-rw- 1 root user 5 2005-09-21 13:52 /var/run/mailleds-user.pid
$ x=$(pidof syslogd)
$ ps $x
PID TTY STAT TIME COMMAND
4995 ? Ss 0:00 /sbin/syslogd
$ echo $x > /var/run/mailleds-user.pid
$ mailleds -k
mailleds: process 4995 killed sucessfully
$ ps $x
PID TTY STAT TIME COMMAND
--- mailleds-0.93/mailleds.c~ 2005-09-21 13:40:32.000000000 +0200
+++ mailleds-0.93/mailleds.c 2005-09-21 13:44:31.000000000 +0200
@@ -425,6 +425,9 @@
}
#endif
+ /* set umask for pidfile */
+ umask(022);
+
/*if (!opt_x) {*/
pid = getpid();
write_pidfile();
