[Pm-utils] some simple patches from fedora

Till Maas opensource at till.name
Wed Jan 30 08:46:21 PST 2008 

On Wed January 30 2008, Stefan Seyfried wrote:
> On Wed, Jan 30, 2008 at 04:11:44PM +0100, Till Maas wrote:
> > On Wed January 30 2008, Stefan Seyfried wrote:
> > > If somebody managed to get a symlink where the logfile should be, you
> > > are fscked. So i think this is less secure.
> >
> > And what if somebody gets /usr/lib/pm-utils/bin/pm-action to be an
> > arbitrary binary? Then you are fscked, too.
>
> But you might need to subvert another part of the system to accomplish

It might also be possible than someone can only subvert files that do not 
contain only single ticks and space-characters.

> this. Being paranoid, it is always a good idea to at least make sure that
> there is no symlink where you want to create your file. The easiest way to

Beeing paranoid, it is always a good idea to append some single ticks, space 
characters and other random characters to the filename of a file.

But from an objective point of view, changing files that belong to root:root 
and are not world-writable need the same privilegies.

> accomplish this is to remove it before. If selinux cannot cope with that,
> that's a selinux problem. Fix it there.

It is not a selinux problem that the properties of a file need to be defined 
when you create it, the selinux-context is just a property like owner, group 
or permissions.

> > I do not see the point, how changing the
> > logfile is easier than changing any other component of pm-utils.
>
> It depends on what service you can get to act up. Additional paranoia is
> always good. :-)

You need at least root privilegies for both. For every "create a symlink 
as /var/log/pm-suspend.log for unprivileged users, but do nothing else" 
service one can think of, there is also a "put an arbitrary binary 
add /usr/lib/pm-utils/bin/pm-action for unprivileged users, but do nothing 
else" service. Therefore this is not a valid reason why it should be easier 
to change the logfile that to change anything else. I hope it is clear what I 
want to say here. :-)

And last but not least you create a race condition with your paranoia. Btw. 
with selinux you can satisfy additional paranoia.

Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/pm-utils/attachments/20080130/52f84ac1/attachment.pgp

More information about the Pm-utils mailing list