security alert: path race exploited in recursion

Bug #646777 reported by Philippe Clérié on 2010-09-24
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
cfengine3 (Debian)
Fix Released
Unknown
cfengine3 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: cfengine3

cfengine3 reports the following message:

SERIOUS SECURITY ALERT: path race exploited in recursion to/from /var/lib/cfengine3/inputs. Not safe for agent to continue - aborting.

Steps to reproduce:
- Put the configuration files in /etc/cfengine3 as expected
- execute: sudo cf-agent --verbose

The message should be near the bottom.

I found a hint on the CFEngine forums that the problem might be because /var/lib/cfengine3/inputs is a symbolic link to /etc/cfengine3. There is no clue as to why that should be a problem. Anyway, I deleted the link, made a real inputs directory and put my configuration files in there. cfengine3 now works like a charm.

Regards
Philippe

Yeah, making /var/lib/cfengine3/inputs a real directory and linking /etc/cfengine3 to /var/lib/cfengine3/inputs worked nicely.

Changed in cfengine3 (Debian):
status: Unknown → New
Philip Hands (phil-hands) wrote :

As pointed out by Chris Dumont in the matching Debian bug:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611659#20

the problem here is not the symlink, but the fact that the update.cf from the examples directory is still using the old path, thus causing the symlink to be used, whereas it can just as easily point directly at /etc/cfengine3, so don't mess around with the symlinks, particularly since that breaks FHS, but rather just fix the broken example configuration file.

(the Debian bug comment referred to above includes a diff that shows precisely what is needed)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cfengine3 (Ubuntu):
status: New → Confirmed
Changed in cfengine3 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.