Package: cfengine3
Version: 3.0.5+dfsg-1
To reproduce:
# aptitude install cfengine3
# cp /usr/share/doc/cfengine3/examples/* /etc/cfengine3
# cfengine-server:/etc/cfengine3# cf-agent -nI
SERIOUS SECURITY ALERT: path race exploited in recursion to/from
/var/lib/cfengine3/inputs. Not safe for agent to continue - aborting
Received signal 15 (SIGTERM) while doing []
A search for the problem yielded little information, hinting that
cfengine may be taking exception to /var/lib/cfengine3/inputs being
a symbolic link. Cursory inspection of the source code involved in
printing that message seems to imply that it indeed wouldn't like
symlinks (in src/recursion.c):
void CheckLinkSecurity(struct stat *sb,char *name)
{ struct stat security;
Debug("Checking the inode and device to make sure we are where we think we
are...\n");
if (cfstat(".",&security) == -1)
{
CfOut(cf_error,"stat","Could not stat directory %s after entering!",name);
return;
}
if ((sb->st_dev != security.st_dev) || (sb->st_ino != security.st_ino))
{
CfOut(cf_error,"","SERIOUS SECURITY ALERT: path race exploited in recursion
to/from %s. Not safe for agent to continue - aborting",name);
HandleSignals(SIGTERM);
/* Exits */
}
}
It is not clear to me why cfengine would have such a bad attitude
towards symlinks in its work area. I am also amazed that people seem to
be using cfengine3 on Debian, yet this has gone unreported.
This is running on Squeeze.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
