Hi, > On Fri, Dec 10, 2010 at 9:43 AM, Michael Tautschnig <m...@debian.org> wrote: > >> These lines from this package's maintainer scripts suggest that it likely > >> is affected by the vulnerability: > >> > >> --------------------------------------------------------------------------- > >> chmod 640 $FRESHCLAMLOGFILE > >> chown "$dbowner":adm $FRESHCLAMLOGFILE > >> --------------------------------------------------------------------------- > >> > > > > What is wrong about these two lines? And even from ... > > It suggests the daemon itself creates the file. Copytruncate suggests > logrotate also creates the file.
As noted in my reply to this mail, in this specific case it actually doesn't (it's just the file, not the directory)--but generally, that was the point, yes. > Logrotate runs as root, so if the attacker (running as daemon user) > creates the symlink, logrotate might overwrite an arbitrary file (I > guess). Essentially, that's it, or at least close to it. As already mentioned, I don't recall all the details anymore, but my proof of concept somehow used a hardlink to /etc/shadow that was made daemon-user-writable by logrotate, thus allowing the daemon user to change the root password. Or something. Also, almost certainly this vulnerability does not depend on copytruncate. Florian -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211020152.gh3...@florz.florz.dyndns.org
