Bugtraq mailing list archives

License Manager's lockfiles (Solaris 2.5.1)

From: na98jen () STUDENT HIG SE (Joel Eriksson)
Date: Wed, 21 Oct 1998 20:22:38 +0200


License Manager on Solaris 2.5.1 tends to make stupid lockfiles owned by
root and mode 666 (worldwrite'able). That is not good, since anyone could
create rootowned files which they then would be able to modify. It's an
even bigger problem since it just takes about a minute 'til the lockfile
is created after it's replaced with a symlink which it follows ..

Btw, if this is an old bug, I apologize. It's deadsimple so I would be
surprised if it's not.. :-P Well, anyway..

On the system I am on it looks like this:

bash$ ls -l /var/tmp/lock*
-rw-rw-rw-   1 root     root           0 Oct 21 18:24 /var/tmp/lockESRI
-rw-rw-rw-   1 root     root           0 Oct 21 16:40 /var/tmp/lockISE-TCADd
-rw-rw-rw-   1 root     root           0 Oct 21 14:29 /var/tmp/lockalta
-rw-rw-rw-   1 root     root           0 Oct 21 18:52 /var/tmp/lockansysd
-rw-rw-rw-   1 root     root           0 Oct 21 18:52 /var/tmp/lockasterxd
-rw-rw-rw-   1 root     root           0 Oct 21 16:40 /var/tmp/lockhpeesofd
-rw-rw-rw-   1 root     root           0 Oct 21 18:46 /var/tmp/locksuntechd

And:

bash$ ls -l /var/tmp/.flexlm
total 2
-rw-rw-rw-   1 root     root         163 Oct 21 19:55 lmgrd.211

I tested the bug by removing lockESRI and making a symlink to
/var/tmp/test, in about a minute the file was created, owned by root and
worldwrite'able.

At first I didn't know where the bug was located but managed to find out
by looking in the licenses_combined file that was passed as an option to
the programs with the lockfiles. After some research I realised that the
licenses_combined file was used by /opt/SUNWste/license_tools/lmgrd.ste
that runs on the system I'm on.

With strings I found the /usr/tmp/.flexlm (/usr/tmp is a symlink to
/var/tmp) I have not tested to symlink lmgrd.211 (211 = lmgrd.ste's PID)
but I guess it's exploitable to, if you can predict the PID (which
probably isn't that hard when it's run from rc-scripts or similar on boot)

There is also a frequent use of temporary files in the
/opt/SUNWste/license_tools/config_template which also could be a
securityrisk, at least if you can predict when the script is ran ..
Raceconditions.

/Joel Eriksson

Current thread:

SVGATextMode 1.8 /tmp race Adrian Voinea (Oct 21)
- License Manager's lockfiles (Solaris 2.5.1) Joel Eriksson (Oct 21)
  - Re : 13 tiny bytes to show the huge sillyness of our great common ga (Oct 23)
  - Re: License Manager's lockfiles (Solaris 2.5.1) pedward () WEBCOM COM (Oct 23)
  - Re: License Manager's lockfiles (Solaris 2.5.1) Roger Harrison ? (Oct 23)
    - Re: License Manager's lockfiles (Solaris 2.5.1) Peter Marelas (Oct 24)
- Re: SVGATextMode 1.8 /tmp race dumped (Oct 22)
- Re: SVGATextMode 1.8 /tmp race Ben Collins (Oct 22)
  - Re: SVGATextMode 1.8 /tmp race Marcelo Roccasalva (Oct 23)
- Incorrect behaviour of setre[ug]id in OpenBSD Will Waites (Oct 22)
  - Re: Incorrect behaviour of setre[ug]id in OpenBSD Will Waites (Oct 23)
  - slocate v1.4 klindsay (Oct 24)

(Thread continues...)