The patch.

Carter Bullard carter at qosient.com
Tue Mar 19 11:11:35 EST 2002


Hey Yotam,
   Well, there is nothing that I can do to enforce
that a user protect their /etc/argus.conf file.
Giving a program the potential to create rogue pid
files is an interesting problem, as it can setup a
very subtle non-corrupting denial of service attack
against other system daemons.  This is much different
from the problems that programs can cause by corrupting
or deleting files.

   Since most daemons don't generate syslog output
when there is an existing daemon, it could be 
an attack that would be quite difficult to detect.

   I see an advantage to specifying the directory the
pid should be in, (avoid OS issues) and allowing
the application to name the pid file, but I don't
see any real advantage to a script specifying the
actual pid filename.  Now if we're having problems
with argus's strategy of naming pid files, we should
change that.

What do you think?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Yotam Rubin
> Sent: Tuesday, March 19, 2002 10:27 AM
> To: Argus
> Subject: Re: The patch.
> 
> 
> On Tue, Mar 19, 2002 at 09:48:47AM -0500, Carter Bullard wrote:
> > Hey Yotam,
> > Hmmmm, I think you're missing my important point,
> > and I apologize for not being precise.
> > 
> > If a process with root privileges is allowed to create
> > any pid file, without restrictions, there is nothing to
> > keep it from creating, say, /var/run/identd.pid,
> > as an example.  If this is possible, then there is the
> > real possibility that the program can be used to prevent
> > key programs from running.  The real identd starts, finds
> > the rogue pid file, signals the pid that is in the file
> > and finds that there is a running process, and then
> > exists, since pid files are used by most programs as
> > an exclusive mechanism.
> 
> Yes. That's exactly what I've been talking about. Like I've stated in
> my private response, how is this problem limited only to the 
> creation of
> pid files? _Any_ program that allows the user to specify a 
> file for writing
> (e.g., log files) is prone to this problem. This problem can 
> only happen
> if a malicious user gains access to sensitive files. If this 
> is the case,
> then you have a bigger problem than argus over writing PID files. 
> I mean, what prevents a user with sufficient access from doing 
> "argus -w /dev/mem"?
> 
> > 
> > Really bad idea.  How can we avoid this fundamental
> > security problem?  
> 
> It's much a problem as giving a malicious user access. If 
> managed properly,
> there's no chance of an administrator accidentally 
> overwriting important
> PID files. The problem is fundamental as trusting the user calling or
> configuring argus. Any program operating that assumption is 
> better off not
> running at all. 
> 
> > I believe that httpd and the others
> > that you mention have this flaw, without any obvious
> > advantage.  Specifying the pid directory, rather than
> > the file, would be adequate.
> 
> The major gain is flexibility. Making the PID file location 
> configurable
> made my scripts easier to understand and write. 
> 
> 	Regards, Yotam Rubin
> 
> > 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York  10022
> > 
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax   +1 212 588-9134
> > http://qosient.com
> > 
> > 
> > > -----Original Message-----
> > > From: Yotam Rubin [mailto:yotam at makif.omer.k12.il] 
> > > Sent: Tuesday, March 19, 2002 9:32 AM
> > > To: Carter Bullard
> > > Subject: Re: The patch.
> > > 
> > > 
> > > On Tue, Mar 19, 2002 at 09:15:17AM -0500, Carter Bullard wrote:
> > > > Hey Yotam,
> > > > I'm not aware of any program that will let you specify
> > > > the name of the pid file, do you have any examples
> > > > in mind?    How do you prevent argus from overwriting
> > > > /var/run/identd.pid?
> > > 
> > > Well, it looks like thttpd and mason allow the user to 
> > > specify a PID file.
> > > Additionally, Debian's start-stop-daemon program allows it as 
> > > well, and
> > > many scripts rely on the specific location of the PID file.
> > > The only thing we can do to prevent argus from overwriting 
> > > other files 
> > > is to stat() the pid file before writing to it. Important 
> > > files can also be
> > > clobbered if the user specifies a certain archive file. 
> > > 
> > > 	Regards, Yotam Rubin
> > > 
> > > 
> > > > 
> > > > Carter
> > > > 
> > > > Carter Bullard
> > > > QoSient, LLC
> > > > 300 E. 56th Street, Suite 18K
> > > > New York, New York  10022
> > > > 
> > > > carter at qosient.com
> > > > Phone +1 212 588-9133
> > > > Fax   +1 212 588-9134
> > > > http://qosient.com
> > > > 
> > > > 
> > > > > -----Original Message-----
> > > > > From: Yotam Rubin [mailto:yotam at makif.omer.k12.il] 
> > > > > Sent: Tuesday, March 19, 2002 8:56 AM
> > > > > To: Carter Bullard
> > > > > Subject: Re: The patch.
> > > > > 
> > > > > 
> > > > > On Tue, Mar 19, 2002 at 08:05:56AM -0500, Carter 
> Bullard wrote:
> > > > > > Hey Yotam,
> > > > > >    I'm putting in the pid file support now, and I've
> > > > > > got a few questions.  Since argus normally runs with
> > > > > > root privileges, specifying an arbitrary pid filename
> > > > > > may cause some problems, writing over an existing system 
> > > > > file, etc...
> > > > > > 
> > > > > > It would seem a bit safer if we examine the target file
> > > > > > to see if its actually a pid file before clobbering it,
> > > > > > but that doesn't really work, as there is nothing
> > > > > > preventing someone from specifying that argus should use
> > > > > > the pid file for sendmail, as an example, which would
> > > > > > keep that application from running, if argus came before
> > > > > > it in the boot startup sequence.
> > > > > 
> > > > > 
> > > > > Yeah, we should probably stat() the pid file before 
> writing it.
> > > > > 
> > > > > > 
> > > > > > Would it be alright if we allow the user to specify the
> > > > > > pid file directory, rather than the exact file?
> > > > > 
> > > > > Well, I find it more comfortable to specify the exact 
> > > > > location of the PID file. Also, this is common behavior in 
> > > > > other programs as well. The user probably wants a method to 
> > > > > distinctly determine the location of the pid file. Letting 
> > > > > argus select the name of the pidfile has no significant 
> > > > > benefit, and may cause errors. For example, the Debian 
> > > > > package may start argus whenever a PPP 
> > > > > interface comes up. It's more comfortable to rely on the 
> > > > > script's pid file handling, than on argus' pid file name 
> > > selection.
> > > > > 
> > > > > > 
> > > > > > Would you support a single option for the command
> > > > > > line pid file?  Say "-n [piddir]", rather than using
> > > > > > two options?
> > > > > 
> > > > > I preserved the original PID file option because I was unsure 
> > > > > whether it was alright to remove it. It is more comfortable 
> > > > > to have a single option[1] rather than having two options 
> > > > > which achieve a similar result. It would seem better to leave 
> > > > > only the -c option.
> > > > > 
> > > > > 	Regards, Yotam Rubin
> > > > > 
> > > > > [1] GNU getopt() supports options with optional arguments. 
> > > > > This enables
> > > > >     to let argus select the pid file name when no argument is 
> > > > > specified, 
> > > > >     or create the pid file at the user specified location. 
> > > > > Sadly, this behavior
> > > > >     is not portable, so if we want to use it the inclusion of 
> > > > > the GNU getopt()
> > > > >     is required.
> > > > > 
> > > > > 
> > > > > > 
> > > > > > Carter
> > > > > > 
> > > > > > Carter Bullard
> > > > > > QoSient, LLC
> > > > > > 300 E. 56th Street, Suite 18K
> > > > > > New York, New York  10022
> > > > > > 
> > > > > > carter at qosient.com
> > > > > > Phone +1 212 588-9133
> > > > > > Fax   +1 212 588-9134
> > > > > > http://qosient.com
> > > > > > 
> > > > > > > -----Original Message-----
> > > > > > > From: Yotam Rubin [mailto:yotam at makif.omer.k12.il]
> > > > > > > Sent: Wednesday, February 27, 2002 4:26 PM
> > > > > > > To: 'Carter Bullard'
> > > > > > > Subject: The patch.
> > > > > > > 
> > > > > > > 
> > > > > > > Hey,
> > > > > > > 
> > > > > > > 	The patch discussed on the list is attached herein.
> > > > > > > 
> > > > > > > 	Regards, Yotam Rubin
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > 
> > > 
> > > 
> > 
> > 
> 
> 



More information about the argus mailing list