SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   sysvinit Vendors:   Slackware
Slackware Linux Configuration Flaw in 'sysvinit' May Let Local Users Bypass Some Filesystem Access Restrictions
SecurityTracker Alert ID:  1006813
SecurityTracker URL:  http://securitytracker.com/id/1006813
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 22 2003
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Slackware 9.0; sysvinit prior to 2.84-i386-26
Description:   A configuration vulnerability was reported Slackware Linux in sysvinit. A local user may be able to bypass certain filesystem access permissions (e.g., nosuid, nodev, noexec).

It is reported that the sysvinit quotacheck in /etc/rc.d/rc.M incorrectly uses the 'M' option instead of the 'm' option:

echo "Checking filesystem quotas: /sbin/quotacheck -avugM"
/sbin/quotacheck -avugM

The use of the 'M' option reportedly causes the filesystem to be remounted. As a result, mount flags such as nosuid, nodev, noexec, and others are reset.

The vendor credits Jem Berkes with reporting this flaw.

Impact:   A local user may be able to bypass some filesystem restriction attributes.
Solution:   The vendor has released a fixed sysvinit package for Slackware 9.0, available at:

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sysvinit-2.84-i386-26.tgz

The MD5 signatures are:

966281dbd4e8cac23264021b9ad48f61 sysvinit-2.84-i386-26.tgz


To install, upgrade using upgradepkg (as root):

upgradepkg sysvinit-2.84-i386-26.tgz

Then, move the new version of rc.M into place with the following command, as rc.M is considered a config file and upgradepkg will not overwrite these config files by default:

mv /etc/rc.d/rc.M.new /etc/rc.d/rc.M

Vendor URL:  www.slackware.com (Links to External Site)
Cause:   Configuration error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Slackware Issues Revised Advisory) Slackware Linux Configuration Flaw in 'sysvinit' May Let Local Users Bypass Some Filesystem Access Restrictions
A revised advisory that corrects a typographical error has been released.



 Source Message Contents

Subject:  [slackware-security] quotacheck security fix in rc.M (SSA:2003-141-06)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  quotacheck security fix in rc.M (SSA:2003-141-06)

An upgraded sysvinit package is available which fixes a problem with
the use of quotacheck in /etc/rc.d/rc.M.  The original version of
rc.M calls quotacheck like this:

    echo "Checking filesystem quotas:  /sbin/quotacheck -avugM"
    /sbin/quotacheck -avugM

The 'M' option is wrong.  This causes the filesystem to be remounted,
and in the process any mount flags such as nosuid, nodev, noexec,
and the like, will be reset.  The correct option to use here is 'm',
which does not attempt to remount the partition:

    echo "Checking filesystem quotas:  /sbin/quotacheck -avugm"
    /sbin/quotacheck -avugm

We recommend sites using file system quotas upgrade to this new package,
or edit /etc/rc.d/rc.M accordingly.


Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/sysvinit-2.84-i386-26.tgz:  Use option M, not m, for quotacheck.
  Otherwise, the partition might be remounted losing flags like nosuid,nodev,
  noexec.  Thanks to Jem Berkes for pointing this out.
  (* Security fix *)
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sysvinit-2.84-i386-26.tgz



MD5 SIGNATURES:
+-------------+

Slackware 9.0 package:
966281dbd4e8cac23264021b9ad48f61  sysvinit-2.84-i386-26.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade using upgradepkg (as root):

upgradepkg sysvinit-2.84-i386-26.tgz

Then, you'll need to move the new version of rc.M into place, as rc.M
is considered a config file and upgradepkg will not overwrite these by
default:

mv /etc/rc.d/rc.M.new /etc/rc.d/rc.M



+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+zBCIakRjwEAQIjMRAr+MAKCPL5dylZx3tnK46utV89w4LDXcYACdHSJW
L6vzAiOlRbKHZ/u2KR0egX4=
=bWMr
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC