Bugtraq mailing list archives

[linux-security] Re: Big security hole in kerneld's request_route

From: jack () solucorp qc ca (Jacques Gelinas)
Date: Thu, 13 Jun 1996 17:55:13 -0500


On Wed, 12 Jun 1996 ichudov () algebra com wrote:

[Mod: Quoting trimmed.  --Jeff.]

I was just looking at sources of newly released linux 2.0.
In modules-1.3.69k, in kerneld's subdirectory, there is a file
request_route.sh (see below). It's supposed to run as root, whenever
a route is requested. It is supposed to start pppd or something like
that.

As it appears, it is possible to destroy system philes (such as /etc/passwd
and so on).


The path should be changed to /var/run/request-route.pid

It is unfortunate that there is no cleaner way to wait for pppd's success
or failure. I mean to do something as simple as

if /usr/sbin/pppd ...
then
        echo ok
else
        echo failure
fi

pppd just fork (goes in background) to soon. Maybe there is already an
option.

 --------------------------------------------------------
Jacques Gelinas (jacques () solucorp qc ca)
Use Linux without reformating: Use UMSDOS.

Current thread:

Re: Publically writable directories, (continued)
- - - Re: Publically writable directories Neil Soveran-Charley (Jun 16)
    - Re: Publically writable directories Brian Mitchell (Jun 17)
    - Re: Publically writable directories Thomas Koenig (Jun 18)
    - Re: Publically writable directories Bill Pemberton (Jun 18)
    - Re: Publically writable directories Thomas Koenig (Jun 18)
    - Re: Publically writable directories Bill Pemberton (Jun 17)
    - Re: Publically writable directories David DeSimone (Jun 17)
    - Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)
    - Re: Publically writable directories Michael Dilger (Jun 17)
  - Re: system() call in suid programs Kari E. Hurtta (Jun 14)
- [linux-security] Re: Big security hole in kerneld's request_route Jacques Gelinas (Jun 13)