Discussion:
[Openhpi-devel] /var/lib/openhpi world-writable imposes security risk
Rafael dos Santos
2015-06-23 16:40:01 UTC
Permalink
Hi,

is there any reason why the directory '/var/lib/openhpi' is created with world-writable permissions?

from Makefile.am (line 134):
$(mkinstalldirs) $(DESTDIR)$(VARPATH)
chmod 777 $(DESTDIR)$(VARPATH)

An attacker could use it to fill up the storage hosting the /var/lib/ directory if quotas are not properly set.


Att.
--
Rafael Fonseca
Mohan
2015-06-23 16:58:34 UTC
Permalink
Hi Rafael,

Not familiar with this code segment. But when openhpi* is installed, it
creates /var/lib/openhpi with 755 permissions. Just tested it. Please
let me know if that is not the case with steps to recreate the problem
(777 permissions on /var/lib/openhpi)

Thanks
Mohan
Post by Rafael dos Santos
Hi,
is there any reason why the directory '/var/lib/openhpi' is created with world-writable permissions?
$(mkinstalldirs) $(DESTDIR)$(VARPATH)
chmod 777 $(DESTDIR)$(VARPATH)
An attacker could use it to fill up the storage hosting the /var/lib/ directory if quotas are not properly set.
Att.
--
Rafael Fonseca
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Openhpi-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openhpi-devel
Rafael dos Santos
2015-06-24 10:46:19 UTC
Permalink
Mohan,

I just did a fresh install from the latest version (Revision: 7633) here.

===
$: head config.log
It was created by openhpi configure 3.6.0, which was
generated by GNU Autoconf 2.69. Invocation command line was

$ ./configure --prefix=/tmp --sysconfdir=/etc --with-varpath=/var/lib/openhpi
===

After the install, this is what I got

$: ls -l /var/lib/
[...]
drwxrwxrwx. 2 root root 4096 Jun 24 12:39 openhpi


Att.
--
Rafael Fonseca


----- Original Message -----
Sent: Tuesday, June 23, 2015 6:58:34 PM
Subject: Re: [Openhpi-devel] /var/lib/openhpi world-writable imposes security risk
Hi Rafael,
Not familiar with this code segment. But when openhpi* is installed, it
creates /var/lib/openhpi with 755 permissions. Just tested it. Please
let me know if that is not the case with steps to recreate the problem
(777 permissions on /var/lib/openhpi)
Thanks
Mohan
Post by Rafael dos Santos
Hi,
is there any reason why the directory '/var/lib/openhpi' is created with
world-writable permissions?
$(mkinstalldirs) $(DESTDIR)$(VARPATH)
chmod 777 $(DESTDIR)$(VARPATH)
An attacker could use it to fill up the storage hosting the /var/lib/
directory if quotas are not properly set.
Att.
--
Rafael Fonseca
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Openhpi-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openhpi-devel
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Openhpi-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openhpi-devel
Rafael dos Santos
2015-06-24 15:24:06 UTC
Permalink
Mohan,

I realised that if you have the /var/lib/openhpi dir already on your system, no modifications are made. So you need to delete it before trying installing again. Anyway, if you can reproduce the issue, the attached patch solves the problem.

Let me know if you need any more info.


Att.
--
Rafael Fonseca
Mohan
2015-07-08 16:23:27 UTC
Permalink
Hi Rafael,

Could you please create a bug in sourceforge. We will checkin the change
and close the bug.

Thanks
Mohan
Post by Rafael dos Santos
Mohan,
I just did a fresh install from the latest version (Revision: 7633) here.
===
$: head config.log
It was created by openhpi configure 3.6.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ ./configure --prefix=/tmp --sysconfdir=/etc --with-varpath=/var/lib/openhpi
===
After the install, this is what I got
$: ls -l /var/lib/
[...]
drwxrwxrwx. 2 root root 4096 Jun 24 12:39 openhpi
Att.
--
Rafael Fonseca
----- Original Message -----
Sent: Tuesday, June 23, 2015 6:58:34 PM
Subject: Re: [Openhpi-devel] /var/lib/openhpi world-writable imposes security risk
Hi Rafael,
Not familiar with this code segment. But when openhpi* is installed, it
creates /var/lib/openhpi with 755 permissions. Just tested it. Please
let me know if that is not the case with steps to recreate the problem
(777 permissions on /var/lib/openhpi)
Thanks
Mohan
Post by Rafael dos Santos
Hi,
is there any reason why the directory '/var/lib/openhpi' is created with
world-writable permissions?
$(mkinstalldirs) $(DESTDIR)$(VARPATH)
chmod 777 $(DESTDIR)$(VARPATH)
An attacker could use it to fill up the storage hosting the /var/lib/
directory if quotas are not properly set.
Att.
--
Rafael Fonseca
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Openhpi-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openhpi-devel
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Openhpi-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openhpi-devel
Rafael dos Santos
2015-07-08 16:35:40 UTC
Permalink
----- Original Message -----
Post by Mohan
Hi Rafael,
Could you please create a bug in sourceforge. We will checkin the change
and close the bug.
Sure thing. It's done https://sourceforge.net/p/openhpi/bugs/1883/


Att
--
Rafael Fonseca

Loading...