| commit | f797c27efecad45af191c518b7f87fda32ada160 | |
| author | Steffen (Daode) Nurpmeso <steffen@sdaoden.eu> | |
| Fri, 27 Jan 2017 18:58:39 +0000 (27 19:58 +0100) | ||
| committer | Steffen (Daode) Nurpmeso <steffen@sdaoden.eu> | |
| Fri, 27 Jan 2017 19:09:51 +0000 (27 20:09 +0100) | ||
| tree | 042160b7de122444216b2fdf7454fd2f7d69cec9 | treesnapshot (tar.gz zip) |
| parent | 03612aa5f35762a111a907a53e42425c354c68ba | commitdiff |
FIX privsep.c, yes, vulnerability (wapiflapi)..
wapiflapi (wapiflapi at yahoo dot fr) reported a vulnerability
when the privsep program is driven directly: it is possible to
pass a random string which includes path separators.
This random string is used to build the path name of a an
O_EXCLusively created file, which then is fchown()ed to the owner
of the mailbox the privsep child is to be used to create a lock
file for. The exclusively created file is then removed, whether
the race has been won or not.
The privsep child will refuse to run unless the executing user
owns the mailbox file, that is, has read (or read/write, dependent
on mode), the target of the link will always be the name of said
mailbox with a ".lock" suffix (Unix dotlock locking).
wapiflapi (wapiflapi at yahoo dot fr) reported a vulnerability
when the privsep program is driven directly: it is possible to
pass a random string which includes path separators.
This random string is used to build the path name of a an
O_EXCLusively created file, which then is fchown()ed to the owner
of the mailbox the privsep child is to be used to create a lock
file for. The exclusively created file is then removed, whether
the race has been won or not.
The privsep child will refuse to run unless the executing user
owns the mailbox file, that is, has read (or read/write, dependent
on mode), the target of the link will always be the name of said
mailbox with a ".lock" suffix (Unix dotlock locking).
| privsep.c | diffblobblamehistory |