From: Bernhard R. L. <br...@pc...> - 2008-01-25 15:12:22
|
* Craig Small <csm...@en...> [080125 00:37]: > Regarding http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458003 > the problem is that the create flag is not set so if the file does not > exist then the program dies. > > The fix is in line 741 of lpd.c: > if( Checkwrite(logfile, &statb, O_WRONLY|O_APPEND, 0, 0) != 2) { > > The first 0 should be 1 for create to be enabled. > > My quesiton is, should the log file exist first? Is there some security > issue in not mandating the file exists beofre the program starts? > I just want to make sure it wasn't designed this way. The code in question is only in lpd. I've not heared of a situation where lpd was installed suid. And if it was, being able to append things to existing files would hardly be less dangerous than being allowed to create new files. There are three little possible issues I see, though: * Unless I misread the code, there lpd first chdirs to / before this. So relative patch names would end up at suprising places, as people are likely to run this as root. * checkwrite is not looking at the umask, but (have not looked if Is_server is already set there, assuming it here) may use Spool_file permissions instead, which might be too broad for a file where passwords can end up. * as the creating of the logfile is before changing the uid, the other way is also possible: if the file is created still as root with 0600 and later written to as an other user. AFAIK Linux only checks permissions at open time, but I'm not sure about other OSes. (On the other hand, the current way the logfile (assuming I did not mix up something) can be a file that is not accessible by the finally running lpd, which gives some additional security, so I'm not sure if that is a good or bad thing. Hochachtungsvoll, Bernhard R. Link |