Home page logo

oss-sec logo oss-sec mailing list archives

Re: radvd 1.8.2 released with security fixes
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 13 Oct 2011 12:42:42 +0530

On 10/07/2011 04:22 AM, Solar Designer wrote:

3) The radvd daemon would not fail on privsep_init() errors, which could
cause it to run with full root privileges when it should be running as
an unprivileged user. (CVE-2011-3603)

I think this is not an issue at all:

If you look at the unpatched code, in privsep-linux.c, privsep_init() can return -1 at two places.

A. if pipe(pipefds) fails
B. If fork() fails

If either of these functions fails, the end result is that there is no fork() and radvd runs as a single process.

Now looking at radvd.c

        /* drop root privileges if requested. */
        if (username) {
                if (!singleprocess) {
                        dlog(LOG_DEBUG, 3, "Initializing privsep");
                        if (privsep_init() < 0)
flog(LOG_WARNING, "Failed to initialize privsep.");

                if (drop_root_privileges(username) < 0) {

After running privsep_init(), drop_root_privileges() is run, so :

a. if privsep_init() failed and drop_root_privileges() did not fail, you end up running a single radvd process running as radvd user, which is similar to running "radvd --singleprocess"

b. if privsep_init() failed and drop_root_privileges() failed, you bail out of the program, similar to what would happen if privsep_init() did not fail.

c. if privsep_init() and drop_root_privileges() did not fail, we have two radvd process, one running as radvd user and the other is root

So from what i can see, the maximum harm which would occur if privsep_init() fails, is that radvd would effectively run in --singleprocess mode

Huzaifa Sidhpurwala / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]