Bug ID 1208303
Summary AUDIT-FIND: kismet: predictable lock file in /tmp created by kismet_cap_linux_wifi
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wolfgang.frisch@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

kismet_cap_linux_wifi creates a predictable file in /tmp [1]:

```
int acquire_interface_lock(local_wifi_t *local_wifi) {                          
    local_wifi->lock_fd = open("/tmp/.kismet_cap_linux_wifi_interface_lock",
O_CREAT | O_WRONLY, S_IWUSR | S_IWGRP);

// Further down, a system-wide exclusive lock on this file is obtained:
flock(local_wifi->lock_fd, LOCK_EX | LOCK_NB)
```

When kismet is installed according to the official documentation (as of now)
[2], this program will have either setuid-root set or it will be executed as
root by the main kismet daemon.

This allows an unprivileged user to
a) create arbitrary files on the system if /proc/sys/fs/protected_symlinks=0
b) obtain locks for arbitrary files on the system, if
/proc/sys/fs/protected_symlinks=0
c) deny kismet's service if the capture binaries are installed without
setuid-root but with file capabilities.

[1]
https://github.com/kismetwireless/kismet/blob/cca9ed610d640d89f2c8c63f678b045764530109/capture_linux_wifi/capture_linux_wifi.c#L478
[2] https://www.kismetwireless.net/packages/#suid-root--privileged-capture

You are receiving this mail because: