DoS bug in initscripts

Michael A. Peters mpeters at mac.com
Mon Apr 7 09:11:08 PDT 2003


loadproc in the functions script calls getpids()

getpids()
{
        base=${1##*/}
        pidlist=$(pidof -o $$ -o $PPID -x $base)
}

if $1 isn't full path then it can return a faulty PID causing the
service not start.

For example -
http://beyond.nl.linuxfromscratch.org/view/cvs/general/gpm.html

The init script is called gpm
The init script has:
 loadproc gpm -m $MDEVICE -t $PROTOCOL
in the start) case

loadproc() passes gpm to getpids() and since the script is called gpm -
it finds a PID and states that the service is already running, causing
the init to not properly start.

The daemons should be called full path in the init scripts to avoid
this. and the getpids() should check the full path of the binary in case
of a sloppily written init script.

This will avoid accidental or malicious DoS of init scripts.

If you include "which" with the basic LFS this can easily be achieved:

[root at 12-233-116-216 root]# which gpm
/usr/sbin/gpm
[root at 12-233-116-216 root]# which `which gpm`
/usr/sbin/gpm
[root at 12-233-116-216 root]#

-- 
Michael A. Peters <mpeters at mac.com>

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list