Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#35025 - Unknown security hole: program run as user can wriite files owned by root
Attached to Project:
Arch Linux
Opened by Storm Engineer (Stormheart) - Monday, 29 April 2013, 12:26 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 29 April 2013, 13:15 GMT
Opened by Storm Engineer (Stormheart) - Monday, 29 April 2013, 12:26 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 29 April 2013, 13:15 GMT
|
DetailsDescription:
The proprietary software VueScan is able to write /home/USERNAME/.vuescan/vuescan.ini even if the file is set to READ ONLY and is owned by root. If it is able to do that, it should be able to write any file. I tested with the latest up to date 64 bit build of Arch and VueScan 9.0.96 x64 downloaded from its homepage: http://www.hamrick.com/ Steps to reproduce: 1; Install "vusescan". (You can use it in unregistered mode without a purchase) 2; Locate /home/USERNAME/.vuescan/vuescan.ini, set it to read only and chown it to root. Note last modified time stamp. 3; Run VueScan and try scanning something, then close it. 4; Last modified time of /home/USERNAME/.vuescan/vuescan.ini changes*. * I tried to stop VueScan from constantly overwriting some settings I made with the defaults. I guess it stores them there as that is the only file other than a log in .vuescan. After the settings had been defaulted again with the file set to root and read only, I checked the last modification time and saw it changed to the time I scanned with VueScan. |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Monday, 29 April 2013, 13:15 GMT
Reason for closing: Not a bug
Monday, 29 April 2013, 13:15 GMT
Reason for closing: Not a bug
Btw this bug report doesn't really belong here since we don't package vuescan, it's not in our repos.
CREATE vuescanzgPM1j
OPEN vuescanzgPM1j
ATTRIB vuescanzgPM1j
MODIFY vuescanzgPM1j
CLOSE_WRITE,CLOSE vuescanzgPM1j
DELETE vuescan.ini
MOVED_FROM vuescanzgPM1j
MOVED_TO vuescan.ini
(The above is output from 'inotifywait -m'.)
It's running under your user, but since it has write permission to the parent directory (.vuescan), it can simply delete vuescan.ini and move a new file into its place.
tl;dr: There's no security hole; look into making vuescan.ini immutable if you don't want it to be changed (http://en.wikipedia.org/wiki/Chattr).