Your message dated Tue, 16 Jan 2007 19:59:31 -0800
with message-id <[EMAIL PROTECTED]>
and subject line thttpd: malicious user may start stopped daemon exploiting
logrotate
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: thttpd
Version: 2.21b-11
The logrotate script packaged with thttpd-2.21b-11 allows a
malicious unprivileged user to start a temporarily disabled daemon.
/etc/logrotate.d/thttpd uses the file /tmp/start_thttpd as a flag
for remembering whether the daemon was running before logrotate and
therefore has to be restarted after rotating the log file. A malicious
user can create the file /tmp/start_thttpd manually.
The next time logrotate runs the thttpd daemon will be started,
even if the daemon had been temporarily stopped by the system
administrator for whatever reason by issuing /etc/init.d/thttpd stop
(and optionally rcconf, etc.)
I suggest moving the file into a directory for which a normal user has
no write permissions.
===================================================================
RCS file: /etc/logrotate.d/RCS/thttpd,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- /etc/logrotate.d/thttpd 2003/10/12 15:37:33 1.1
+++ /etc/logrotate.d/thttpd 2003/10/12 15:38:16 1.2
@@ -4,15 +4,16 @@
compress
missingok
prerotate
+ rm -f /var/run/start_thttpd
if pidof thttpd 2>&1 > /dev/null; then
- touch /tmp/start_thttpd
+ touch /var/run/start_thttpd
/etc/init.d/thttpd stop 2>&1 > /dev/null
fi
endscript
postrotate
- if [ -f /tmp/start_thttpd ]; then
+ if [ -f /var/run/start_thttpd ]; then
/etc/init.d/thttpd start 2>&1 > /dev/null
- rm -f /tmp/start_thttpd
+ rm -f /var/run/start_thttpd
fi
endscript
}
I am using Debian 3.0 on a Sun Sparc.
Linux foo 2.4.22-rc2 #3 Sat Aug 23 21:49:44 CEST 2003 sparc64 unknown
ii thttpd 2.21b-11 tiny/turbo/throttling HTTP server
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries and Timezone
ii logrotate 3.5.9-8 Log rotation utility
ii mime-support 3.18-1.3 MIME files 'mime.types' & 'mailcap', and sup
ii debconf 1.0.32 Debian configuration management system
regards,
Sebastian
--- End Message ---
--- Begin Message ---
Version: 2.23beta1-5
This bug has just been raised to 'grave' severity as a security bug, but the
bug has also already been fixed in etch and sid (and possibly in sarge?).
Marking as closed.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
--- End Message ---
