Menu
▾
▴
Re: [Openhpi-devel] /var/lib/openhpi world-writable imposes security risk
|
From: Mohan <mo...@fc...> - 2015-07-08 16:23:41
|
Hi Rafael, Could you please create a bug in sourceforge. We will checkin the change and close the bug. Thanks Mohan On Wed, 2015-06-24 at 06:46 -0400, Rafael dos Santos wrote: > Mohan, > > I just did a fresh install from the latest version (Revision: 7633) here. > > === > $: head config.log > It was created by openhpi configure 3.6.0, which was > generated by GNU Autoconf 2.69. Invocation command line was > > $ ./configure --prefix=/tmp --sysconfdir=/etc --with-varpath=/var/lib/openhpi > === > > After the install, this is what I got > > $: ls -l /var/lib/ > [...] > drwxrwxrwx. 2 root root 4096 Jun 24 12:39 openhpi > > > Att. > -- > Rafael Fonseca > > > ----- Original Message ----- > > From: "Mohan" <mo...@fc...> > > To: ope...@li... > > Sent: Tuesday, June 23, 2015 6:58:34 PM > > Subject: Re: [Openhpi-devel] /var/lib/openhpi world-writable imposes security risk > > > > Hi Rafael, > > > > Not familiar with this code segment. But when openhpi* is installed, it > > creates /var/lib/openhpi with 755 permissions. Just tested it. Please > > let me know if that is not the case with steps to recreate the problem > > (777 permissions on /var/lib/openhpi) > > > > Thanks > > Mohan > > > > > > On Tue, 2015-06-23 at 12:40 -0400, Rafael dos Santos wrote: > > > Hi, > > > > > > is there any reason why the directory '/var/lib/openhpi' is created with > > > world-writable permissions? > > > > > > from Makefile.am (line 134): > > > $(mkinstalldirs) $(DESTDIR)$(VARPATH) > > > chmod 777 $(DESTDIR)$(VARPATH) > > > > > > An attacker could use it to fill up the storage hosting the /var/lib/ > > > directory if quotas are not properly set. > > > > > > > > > Att. > > > -- > > > Rafael Fonseca > > > > > > ------------------------------------------------------------------------------ > > > Monitor 25 network devices or servers for free with OpManager! > > > OpManager is web-based network management software that monitors > > > network devices and physical & virtual servers, alerts via email & sms > > > for fault. Monitor 25 devices for free with no restriction. Download now > > > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > > > _______________________________________________ > > > Openhpi-devel mailing list > > > Ope...@li... > > > https://lists.sourceforge.net/lists/listinfo/openhpi-devel > > > > > > > > ------------------------------------------------------------------------------ > > Monitor 25 network devices or servers for free with OpManager! > > OpManager is web-based network management software that monitors > > network devices and physical & virtual servers, alerts via email & sms > > for fault. Monitor 25 devices for free with no restriction. Download now > > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > > _______________________________________________ > > Openhpi-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/openhpi-devel > > |