On Fri, Dec 10, 2010 at 03:10:19AM +0100, Florian Zumbiehl wrote: > Package: aolserver4 > Version: 4.5.0-16.1 > Severity: grave > Justification: privilege escalation vulnerability > Tags: security > --------------------------------------------------------------------------- > chown -R www-data:www-data $LOGDIR > chmod 755 $LOGDIR > --------------------------------------------------------------------------- >
Indeed, this code snippet potentially expose to easy file linking abuse (not necessarily symlinking) by evil scripts. Of course, in order to do that one has to abuse some tcl adp scripts too before. I think the right thing to do is avoiding changing the ownership of the files, and simply restart the server after rotating. chown www-data:www-data $LOGDIR chmod 755 $LOGDIR If the new log file linked a system file, aolserver would fail to log, plain and clean, else it would create a new file and proceed (that would be the same with sym or hard links). Other apps, such as openacs or dotlrn should do the same in their own dirs. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
