[Bug 714632] New: ipmiutil: use of /var/lock/subsys unsupported
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c0 Summary: ipmiutil: use of /var/lock/subsys unsupported Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: All OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: kkaempf@suse.com ReportedBy: lnussel@suse.com QAContact: qa@suse.de Found By: --- Blocker: --- ipmiutil uses /var/lock/subsys which is unsupported on openSUSE. On openSUSE /var/lock is reserved for device lock files and must not be used for other purposes. Due to the use of tmpfs on /var/lock the subsys directory does not exist anymore either so if your package used /var/lock/subsys for any real purpose it might be silently broken already. Please fix your packge to not use /var/lock/subsys. http://en.opensuse.org/openSUSE:Packaging_checks#subsys-unsupported -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c1 Klaus Kämpf <kkaempf@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Severity|Normal |Major --- Comment #1 from Klaus Kämpf <kkaempf@suse.com> 2011-08-30 10:56:10 UTC --- Reported upstream as ID 3400659 (https://sourceforge.net/tracker/?func=detail&aid=3400659&group_id=116222&atid=674089) Package fixed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c2 --- Comment #2 from Ludwig Nussel <lnussel@suse.com> 2011-08-30 13:44:58 CEST --- That's not quite as intended. The script must not use /var/lock/subsys at all. The theoretical attack is that an attacker that gains access to the lock group could put arbitrary things in /var/lock, e.g. stale symlinks pointing to somewhere. Your init script would follow such a link and touch a file in an arbitrary place. E.g. ln -s /etc/nologin /var/lock/subsys/hpi would result in no user being able to log in anymore if the script was run. The likelihood and impact of such an attack is low of course but if the script is fixed in that regard it should fixed correctly :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c3 --- Comment #3 from Klaus Kämpf <kkaempf@suse.com> 2011-08-30 11:55:27 UTC --- (In reply to comment #2)
That's not quite as intended. The script must not use /var/lock/subsys at all. The theoretical attack is that an attacker that gains access to the lock group could put arbitrary things in /var/lock, e.g. stale symlinks pointing to somewhere. Your init script would follow such a link and touch a file in an arbitrary place. E.g. ln -s /etc/nologin /var/lock/subsys/hpi
Hmm, how's that different from tampering /var/run or any other dir/file used by the ipmiutil package ? I guess protecting the system from unauthorized access (i.e. to the lock group) is outside of ipmiutil. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c4 --- Comment #4 from Ludwig Nussel <lnussel@suse.com> 2011-08-30 14:04:37 CEST --- /var/run is only writable by root whereas /var/lock is writable by the lock group. Unauthorized access to the lock group could be gained by exploiting the setgid lock binary /usr/sbin/lockdev (theoretically, no exploit known atm). That's only outside the scope of ipmiutil as long as it stays out of /var/lock. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c5 --- Comment #5 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-27 16:00:07 CEST --- This is an autogenerated message for OBS integration: This bug (714632) was mentioned in https://build.opensuse.org/request/show/89549 Factory / ipmiutil -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=714632 https://bugzilla.novell.com/show_bug.cgi?id=714632#c6 --- Comment #6 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-08 16:00:08 CET --- This is an autogenerated message for OBS integration: This bug (714632) was mentioned in https://build.opensuse.org/request/show/95978 Factory / ipmiutil -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com