[ntp:security] [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Oct 13 20:32:11 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2938

--- Comment #3 from Juergen Perlinger <perlinger at ntp.org> 2015-10-13 20:32:11 UTC ---
(In reply to comment #2)
> 
> If the ntp.conf file is /etc/ntp.conf then this fix can potentially overwrite
> /etc/password. Should we be checking if it would overwrite a file and prevent
> that from happening?
>

In that regard we're at least not worse off than we are today...It would
require a 'saveconfigdir /etc' statement in the config file, and the daemon
would need write permission to that directory. This can admittedly happen when
running as root. But then running a remote configurable server with root
privileges is a bad idea anyway.

The only chance I can see is to add 'O_EXCL' to the list of open flags, so
overwriting an existing file will impossible even for root. This would surely
put a clamp on it, though I have to check MSDN if this also works on Windows
and possibly VMS. Any ideas on that?

Pearly

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list