Re: Xinetd /tmp race?

[fileland () SOUND NET (Wayne Schroeder)]

My xinetd (2.2.1-5) from debian hamm does this.. but if you will notice
HUP is NOT used anywhere like inetd does.  HUP is used only to cause it to
dump info.. as documented.  Sig 10 is reload.  YES it IS a race... but the
dump file can easily be changed to something else in the source config.


Wayne



 On Wed, Nov 11, 1998 at 03:28:03AM +0100, Balazs Nagy wrote:
> Hiyas,
>
> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file.  The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
>
> BTW here's the patch:
> diff -ruN xinetd-2.2.1.orig/xinetd/internals.c
> xinetd-2.2.1/xinetd/internals.c
> --- xinetd-2.2.1.orig/xinetd/internals.c        Sun Nov  8 13:28:00 1998
> +++ xinetd-2.2.1/xinetd/internals.c     Sun Nov  8 13:27:33 1998
> @@ -55,7 +55,14 @@
>         register int fd ;
>         register unsigned u ;
>         char *func = "dump_internal_state" ;
> +       struct stat sb;
>
> +       if (!(stat(dump_file,
> &sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1))
> +       {
> +               msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable
> link", dump_file ) ;
> +               return ;
> +       }
> +
>         dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND,
> DUMP_FILE_MODE ) ;
>         if ( dump_fd == -1 )
>         {
> --
>    Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu
>       PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8  86 64 9C 42 41 A4 BD B8

--
 [ Razathorn <fileland () sound net>                                 ]
 [ PGP public key http://www.sound.net/~fileland/pubkey.shtml     ]
 [ Finger Print: B8 9B 4B F5 67 1C A3 86  2F 91 F2 81 08 08 79 49 ]