Your message dated Fri, 21 Sep 2012 16:32:45 +0000
with message-id <e1tf69l-0002vo...@franck.debian.org>
and subject line Bug#686484: fixed in dnsmasq 2.63-4
has caused the Debian Bug report #686484,
regarding chowning pid directory and writing there as root may lead to security
issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
686484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dnsmasq
Version: 2.55-2
Severity: serious
Tags: security
The initscript (and postinst script) of dnsmasq creates /var/run/dnsmasq
directory and chowns it to dnsmasq:nogroup. However, dnsmasq daemon writes
the pidfile (which apparently is the only file there) as root user. Here's
the code which does this (in src/dnsmasq.c):
FILE *pidfile;
/* only complain if started as root */
if ((pidfile = fopen(daemon->runfile, "w")))
{
fprintf(pidfile, "%d\n", (int) getpid());
fclose(pidfile);
}
So there's no checking for this file to exist, being a symlink etc.
This way, we effectively making dnsmasq user equal to root: dnsmasq
user can (sym)link /var/run/dnsmasq/dnsmasq.pid to, say, /etc/shadow,
and it will be overwitten the next time dnsmasq (re)starts. This is
obviously wrong.
The only good side of this is that dnsmasq writes only controlled data
to this file (its pid, as per above), so the damage is minimal, ie,
only a denial of service, not gain of service (hence Severity is only
"serious").
Besides, documentation says the pid file is /var/run/dnsmasq.pid, not
/var/run/dnsmasq/dnsmasq.pid - it is the initscript which sets the option
"behind the scenes". Also, there's no mentions in the changelog about
WHY pid file is in this location. And more, it one can change the user
dnsmasq runs as.
It looks like this pidfile stuff needs to be removed entirely (moving
it to a subdir silently and chowning that subdir to dnsmasq user).
Thanks,
/mjt
--- End Message ---
--- Begin Message ---
Source: dnsmasq
Source-Version: 2.63-4
We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 686...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Kelley <si...@thekelleys.org.uk> (supplier of updated dnsmasq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 21 Sep 2012 17:16:34 +0000
Source: dnsmasq
Binary: dnsmasq dnsmasq-base dnsmasq-utils
Architecture: source i386 all
Version: 2.63-4
Distribution: unstable
Urgency: low
Maintainer: Simon Kelley <si...@thekelleys.org.uk>
Changed-By: Simon Kelley <si...@thekelleys.org.uk>
Description:
dnsmasq - Small caching DNS proxy and DHCP/TFTP server
dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server
dnsmasq-utils - Utilities for manipulating DHCP leases
Closes: 686484
Changes:
dnsmasq (2.63-4) unstable; urgency=low
.
* Make pid-file creation immune to symlink attacks. (closes: #686484)
Checksums-Sha1:
b1472dca994ef900a2fe42c7cd589fb2de19db16 1150 dnsmasq_2.63-4.dsc
7f9d6c9c7e03b5a6775952e3e6b1c9f97f0166fe 20662 dnsmasq_2.63-4.diff.gz
cdf2eb68187af276a38163218002413e40c81cb4 365488 dnsmasq-base_2.63-4_i386.deb
728449999915ade74f06db21a71e875ba702565e 18474 dnsmasq-utils_2.63-4_i386.deb
9ae36cac2a2d5c91714b13ca0fca9729370af68c 15606 dnsmasq_2.63-4_all.deb
Checksums-Sha256:
1efa6354f05bc1120fb11eb50099d34712cc755494e52ef1f9d68ddfe7ca440b 1150
dnsmasq_2.63-4.dsc
f3b04bf0c58ab5bc1aff0da7b8dcff4c0c01ff10eeb2ee59cf2933bd2b30ee6a 20662
dnsmasq_2.63-4.diff.gz
204442f54446449094bce816dbef90d03f7893060e97cabc823778ec66f531f8 365488
dnsmasq-base_2.63-4_i386.deb
6f1336c38d2325da9c4f7b70d146b3600db297fa8a876b316305245070bf64c9 18474
dnsmasq-utils_2.63-4_i386.deb
f6e32fc34d7cb5da83b435753955c6cf29456d6ec0aa6841bfd25f5988de4a16 15606
dnsmasq_2.63-4_all.deb
Files:
48ea945325d6b1b7c26d6be8ef15f673 1150 net optional dnsmasq_2.63-4.dsc
a13660d395f9cd6eec2af84a8b0f9787 20662 net optional dnsmasq_2.63-4.diff.gz
d3501b6c3443cd025ab2f3beb1d4138f 365488 net optional
dnsmasq-base_2.63-4_i386.deb
ac7575b6a75040732048cb97e81bf38f 18474 net optional
dnsmasq-utils_2.63-4_i386.deb
d7948ac566b6d2095c69048dc9217d0c 15606 net optional dnsmasq_2.63-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBck8UACgkQKPyGmiibgrcssACfY3SXrZtaqYkXlUlbK5H1UX5e
2d8An0+WST45232nSRZGPtMUqOq+5FMO
=9mGp
-----END PGP SIGNATURE-----
--- End Message ---
