Package: dnsmasq
Version: 2.55-2
Severity: serious
Tags: security
The initscript (and postinst script) of dnsmasq creates /var/run/dnsmasq
directory and chowns it to dnsmasq:nogroup. However, dnsmasq daemon writes
the pidfile (which apparently is the only file there) as root user. Here's
the code which does this (in src/dnsmasq.c):
FILE *pidfile;
/* only complain if started as root */
if ((pidfile = fopen(daemon->runfile, "w")))
{
fprintf(pidfile, "%d\n", (int) getpid());
fclose(pidfile);
}
So there's no checking for this file to exist, being a symlink etc.
This way, we effectively making dnsmasq user equal to root: dnsmasq
user can (sym)link /var/run/dnsmasq/dnsmasq.pid to, say, /etc/shadow,
and it will be overwitten the next time dnsmasq (re)starts. This is
obviously wrong.
The only good side of this is that dnsmasq writes only controlled data
to this file (its pid, as per above), so the damage is minimal, ie,
only a denial of service, not gain of service (hence Severity is only
"serious").
Besides, documentation says the pid file is /var/run/dnsmasq.pid, not
/var/run/dnsmasq/dnsmasq.pid - it is the initscript which sets the option
"behind the scenes". Also, there's no mentions in the changelog about
WHY pid file is in this location. And more, it one can change the user
dnsmasq runs as.
It looks like this pidfile stuff needs to be removed entirely (moving
it to a subdir silently and chowning that subdir to dnsmasq user).
Thanks,
/mjt
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
