http://bugzilla.opensuse.org/show_bug.cgi?id=1206699 Bug ID: 1206699 Summary: haveged uses fixed filename in world-writeable directory Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: peter.simons@suse.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de CC: meissner@suse.com, otto.hollmann@suse.com Found By: --- Blocker: --- haveged creates a file /dev/shm/sem.haveged_sem on startup. /dev/shm/ is (like /tmp) writeable for everybody, which means a malicious person could create a file or symlink named /dev/shm/sem.haveged_sem before haveged starts: cd /dev/shm && ln -s hacked sem.haveged_sem On the positive side, haveged seems to check if the file is a symlink before blindly opening it (timestamps removed too make the log readable): systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm. haveged[12775]: haveged: command socket is listening at fd 3 haveged[12775]: haveged: Couldn't create nammed semaphore haveged_sem error: Too many levels of symbolic links systemd[1]: haveged.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: haveged.service: Failed with result 'exit-code'. So if haveged_sem exists as a symlink, this blocks haveged from starting (denial of service). In theory there could also be a race condition between the check for a symlink and (if it doesn't exist [yet]) opening the file for writing, that might allow an attacker to create a symlink at the right moment and writing to a attacker-chosen file. If the file exists as a normal file, haveged starts nevertheless, and it doesn't change the file content. (No idea if it reads the file, and if yes, if "funny things" might happen depending on the file content.) I'd recommend to use a randomly chosen filename (mktemp), or alternatively use a directory that is not world-writeable. -- You are receiving this mail because: You are on the CC list for the bug.