Ubuntu
cfengine3 package

security alert: path race exploited in recursion

Bug #646777 reported by Philippe Clérié
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
cfengine3 (Debian)
Fix Released
Unknown
cfengine3 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: cfengine3

cfengine3 reports the following message:

SERIOUS SECURITY ALERT: path race exploited in recursion to/from /var/lib/cfengine3/inputs. Not safe for agent to continue - aborting.

Steps to reproduce:
- Put the configuration files in /etc/cfengine3 as expected
- execute: sudo cf-agent --verbose

The message should be near the bottom.

I found a hint on the CFEngine forums that the problem might be because /var/lib/cfengine3/inputs is a symbolic link to /etc/cfengine3. There is no clue as to why that should be a problem. Anyway, I deleted the link, made a real inputs directory and put my configuration files in there. cfengine3 now works like a charm.

Regards
Philippe

Revision history for this message
Per Christian Henden (perchrh-malone) wrote :

Yeah, making /var/lib/cfengine3/inputs a real directory and linking /etc/cfengine3 to /var/lib/cfengine3/inputs worked nicely.

Bug Watch Updater (bug-watch-updater)
Changed in cfengine3 (Debian):
status: Unknown → New
Revision history for this message
Philip Hands (phil-hands) wrote :

As pointed out by Chris Dumont in the matching Debian bug:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611659#20

the problem here is not the symlink, but the fact that the update.cf from the examples directory is still using the old path, thus causing the symlink to be used, whereas it can just as easily point directly at /etc/cfengine3, so don't mess around with the symlinks, particularly since that breaks FHS, but rather just fix the broken example configuration file.

(the Debian bug comment referred to above includes a diff that shows precisely what is needed)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cfengine3 (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in cfengine3 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.