oss-sec mailing list archives
Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation
From: Michael Orlitzky <michael () orlitzky com>
Date: Thu, 7 Sep 2017 08:38:23 -0400
On 09/06/2017 05:15 PM, Daniel Kahn Gillmor wrote:
But i think future reports of problems with pidfiles (e.g. your helpful cleanup of mimedefang -- thanks!) should always include the suggestion to disable pidfiles entirely and to encourage developers who must implement them to ensure that they're only an extra feature, for use with otherwise limited service managers, and perhaps to be compile-time disabled.
I've been reluctant to do this because I'm approaching these as an OpenRC user, and OpenRC has the ability to supervise the daemon. I always hate it when someone makes a suggestion (at my expense) that amounts to "I don't need this, so you don't need this" -- and I don't want to be /that/ guy. I think a compile-time option is reasonable, though. Maybe the ability to fork into the background should also be compiled out in that case. When I encounter more of these, I'll provide a list of possible solutions and include "get rid of the PID file" along with its trade-offs. Most of the PID file vulnerabilities that I've found are in the distribution init scripts: the only ones that hit this list are the upstream projects that make it impossible for the distro developers to get it right. Curiously though, a lot of the problems that I've found in the distro scripts are for daemons that run in the foreground and are supposed to be supervised. Basically, there are two accepted approaches. Forking, 1. Daemon forks 2. Daemon writes a PID file 3. Daemon drops privileges And supervised: 4. Daemon runs in the foreground, and does nothing special What I've found is that many programs choose any old subset of (1) through (4), and implement them in any order. As a result, init script authors haven't developed a feel for the right way to do things; they copy/paste snippets from other init scripts until things seem to work. I've found services that run with *two* PID files, one of which is ignored. I've found services that go out of their way to give away ownership of /run/foo, even though /run/foo/foo.pid is created and owned by root. Pretty much any way you can go wrong has made an appearance at least once, and all of these are for daemons that should be supervised -- the service scripts should be trivial. Anyway, my point is, it may be optimistic to think that we can help people not do weird things in their service scripts =)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 16)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Aug 16)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 18)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 06)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 18)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Aug 16)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Sep 11)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 11)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation kseifried () redhat com (Sep 11)