Bug#567175: gmetad: creates world read/writable rrd data files
Well the file permissions are now more sensible but gmetad wont start... ls -l /var/lib/ganglia/rrds total 16 drwxr-xr-x 15 ganglia ganglia 4096 2009-10-21 12:17 Servers/ drwxr-xr-x 2 ganglia ganglia 4096 2009-05-08 01:10 __SummaryInfo__/ gmetad -d1 Please make sure that /var/lib/ganglia/rrds is owned by nobody Setting the file ownership back to nobody allows gmetad to start but doesn't really solve the problem... I guess a patch to gmetad is needed to make it run as ganglia rather than nobody. -- Chris Jones, SUCS Admin http://sucs.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567175: gmetad: creates world read/writable rrd data files
On Fri, Feb 26, 2010 at 10:27:27AM +, Chris Jones wrote: Well the file permissions are now more sensible but gmetad wont start... ls -l /var/lib/ganglia/rrds total 16 drwxr-xr-x 15 ganglia ganglia 4096 2009-10-21 12:17 Servers/ drwxr-xr-x 2 ganglia ganglia 4096 2009-05-08 01:10 __SummaryInfo__/ gmetad -d1 Please make sure that /var/lib/ganglia/rrds is owned by nobody Setting the file ownership back to nobody allows gmetad to start but doesn't really solve the problem... I guess a patch to gmetad is needed to make it run as ganglia rather than nobody. Humm, I suspect this is me being an idiot. I'll take a look at the chown that is run in postinst. Stuart -- From the prompt of Stu Teasdale Hmmm ... a CRIPPLED ACCOUNTANT with a FALAFEL sandwich is HIT by a TROLLEY-CAR ... -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567175: gmetad: creates world read/writable rrd data files
On 26/02/10 12:07, Stu Teasdale wrote: On Fri, Feb 26, 2010 at 10:27:27AM +, Chris Jones wrote: Well the file permissions are now more sensible but gmetad wont start... ls -l /var/lib/ganglia/rrds total 16 drwxr-xr-x 15 ganglia ganglia 4096 2009-10-21 12:17 Servers/ drwxr-xr-x 2 ganglia ganglia 4096 2009-05-08 01:10 __SummaryInfo__/ gmetad -d1 Please make sure that /var/lib/ganglia/rrds is owned by nobody Setting the file ownership back to nobody allows gmetad to start but doesn't really solve the problem... I guess a patch to gmetad is needed to make it run as ganglia rather than nobody. Humm, I suspect this is me being an idiot. I'll take a look at the chown that is run in postinst. Apologies, I'd failed to upgrade gmetad along with the rest of ganglia. This really is fixed. -- Chris -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567175: gmetad: creates world read/writable rrd data files
Package: gmetad Version: 3.1.2-2.1 Severity: grave Tags: security Justification: causes non-serious data loss Hi, gmetad creates its RRD data files with permissions 666, in world-accessible directories (755), e.g.: $ ls -ld /var/lib/ganglia/rrds/__SummaryInfo__ drwxr-xr-x 2 nobody root 4096 2010-01-26 23:14 /var/lib/ganglia/rrds/__SummaryInfo__ $ ls -l /var/lib/ganglia/rrds/__SummaryInfo__ total 672 -rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 boottime.rrd -rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 bytes_in.rrd -rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 bytes_out.rrd -rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 cpu_aidle.rrd -rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 cpu_idle.rrd -rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 cpu_nice.rrd [...] As a result, any local user can not only read the full datasets collected by gmetad (probably not an issue), but can tamper with them or just simply truncate them, causing data loss and denial of service. A fix would have take care of newly created files, as well as any files that have previously been created. Cheers, Til -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable'), (400, 'unstable'), (300, 'testing'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-bpo.2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org