oss-sec mailing list archives

Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 07 Sep 2017 12:22:11 -0400

On Thu 2017-09-07 08:38:23 -0400, Michael Orlitzky wrote:

I've been reluctant to do this because I'm approaching these as an
OpenRC user, and OpenRC has the ability to supervise the daemon. I
always hate it when someone makes a suggestion (at my expense) that
amounts to "I don't need this, so you don't need this" -- and I don't
want to be /that/ guy.


You don't need to be /that/ guy to point out that there are multiple
possible approaches to managing services, and some service management
approaches are simply less vulnerable to this stuff than others.

You're helping to identify a class of problems here that need to be
eliminated.  I don't think we do anyone any favors by hiding the fact
that the class of problems can be completely avoided by using systemd,
openrc, runit, s6, /sbin/init, etc.

I've found services that run with *two* PID files, one of which is
ignored. I've found services that go out of their way to give away
ownership of /run/foo, even though /run/foo/foo.pid is created and owned
by root. Pretty much any way you can go wrong has made an appearance at
least once, and all of these are for daemons that should be supervised
-- the service scripts should be trivial.


sigh.  are you cataloging these somewhere?  this is really valuable
work, and it'd be great to see a list of common failures.  Do you know
if any of them are collected under CWE or any other widely-accepted
taxonomy?

Is there any way to automate these tests, or do we need a human to read
each initscript and look for flaws?  Are other people helping you in
this review?  how are you tracking/coordinating your reviews?

Anyway, my point is, it may be optimistic to think that we can help
people not do weird things in their service scripts =)


thank you for doing this review, but i disagree with your conclusion --
you're already helping people to not do weird things in their service
scripts, just by writing these reports :)

You might not be able to prevent all the bad from happening, but
establishing what a bad practice looks like will help people push back
against those practices in the future.

Regards,

         --dkg

Attachment: signature.asc
Description:

Current thread:

CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 16)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Aug 16)
  - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 18)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 06)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Sep 07)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 07)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 07)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Sep 11)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 11)
    - Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation kseifried () redhat com (Sep 11)