http://bugzilla.opensuse.org/show_bug.cgi?id=1208303 Bug ID: 1208303 Summary: AUDIT-FIND: kismet: predictable lock file in /tmp created by kismet_cap_linux_wifi Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wolfgang.frisch@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- kismet_cap_linux_wifi creates a predictable file in /tmp [1]: ``` int acquire_interface_lock(local_wifi_t *local_wifi) { local_wifi->lock_fd = open("/tmp/.kismet_cap_linux_wifi_interface_lock", O_CREAT | O_WRONLY, S_IWUSR | S_IWGRP); // Further down, a system-wide exclusive lock on this file is obtained: flock(local_wifi->lock_fd, LOCK_EX | LOCK_NB) ``` When kismet is installed according to the official documentation (as of now) [2], this program will have either setuid-root set or it will be executed as root by the main kismet daemon. This allows an unprivileged user to a) create arbitrary files on the system if /proc/sys/fs/protected_symlinks=0 b) obtain locks for arbitrary files on the system, if /proc/sys/fs/protected_symlinks=0 c) deny kismet's service if the capture binaries are installed without setuid-root but with file capabilities. [1] https://github.com/kismetwireless/kismet/blob/cca9ed610d640d89f2c8c63f678b04... [2] https://www.kismetwireless.net/packages/#suid-root--privileged-capture -- You are receiving this mail because: You are on the CC list for the bug.