[ntp:security] [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Oct 13 20:39:58 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2938

--- Comment #5 from Danny Mayer <mayer at ntp.org> 2015-10-13 20:39:58 UTC ---
(In reply to comment #3)
> (In reply to comment #2)
> > 
> > If the ntp.conf file is /etc/ntp.conf then this fix can potentially overwrite
> > /etc/password. Should we be checking if it would overwrite a file and prevent
> > that from happening?
> >
> 
> In that regard we're at least not worse off than we are today...It would
> require a 'saveconfigdir /etc' statement in the config file, and the daemon
> would need write permission to that directory. This can admittedly happen when
> running as root. But then running a remote configurable server with root
> privileges is a bad idea anyway.
> 
> The only chance I can see is to add 'O_EXCL' to the list of open flags, so
> overwriting an existing file will impossible even for root. This would surely
> put a clamp on it, though I have to check MSDN if this also works on Windows
> and possibly VMS. Any ideas on that?
> 
> Pearly

That would only work with Unix. VMS has a totally different permission
structure and Windows is actually closer to that. I don't remember if O_EXCL
can be used in either of them via some sort of function call.

Danny

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list