[Pm-utils] some simple patches from fedora
Till Maas
opensource at till.name
Wed Jan 30 08:46:21 PST 2008
On Wed January 30 2008, Stefan Seyfried wrote:
> On Wed, Jan 30, 2008 at 04:11:44PM +0100, Till Maas wrote:
> > On Wed January 30 2008, Stefan Seyfried wrote:
> > > If somebody managed to get a symlink where the logfile should be, you
> > > are fscked. So i think this is less secure.
> >
> > And what if somebody gets /usr/lib/pm-utils/bin/pm-action to be an
> > arbitrary binary? Then you are fscked, too.
>
> But you might need to subvert another part of the system to accomplish
It might also be possible than someone can only subvert files that do not
contain only single ticks and space-characters.
> this. Being paranoid, it is always a good idea to at least make sure that
> there is no symlink where you want to create your file. The easiest way to
Beeing paranoid, it is always a good idea to append some single ticks, space
characters and other random characters to the filename of a file.
But from an objective point of view, changing files that belong to root:root
and are not world-writable need the same privilegies.
> accomplish this is to remove it before. If selinux cannot cope with that,
> that's a selinux problem. Fix it there.
It is not a selinux problem that the properties of a file need to be defined
when you create it, the selinux-context is just a property like owner, group
or permissions.
> > I do not see the point, how changing the
> > logfile is easier than changing any other component of pm-utils.
>
> It depends on what service you can get to act up. Additional paranoia is
> always good. :-)
You need at least root privilegies for both. For every "create a symlink
as /var/log/pm-suspend.log for unprivileged users, but do nothing else"
service one can think of, there is also a "put an arbitrary binary
add /usr/lib/pm-utils/bin/pm-action for unprivileged users, but do nothing
else" service. Therefore this is not a valid reason why it should be easier
to change the logfile that to change anything else. I hope it is clear what I
want to say here. :-)
And last but not least you create a race condition with your paranoia. Btw.
with selinux you can satisfy additional paranoia.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/pm-utils/attachments/20080130/52f84ac1/attachment.pgp
More information about the Pm-utils
mailing list