openhpi2 / Open-HPI-base

Open HPI is an open source implementation of the SA Forum's Hardware Platform Interface (HPI). HPI provides an abstracted interface to managing computer hardware, typically for chassis and rack based servers
0 stars 1 forks source link

/var/lib/openhpi world-writable imposes security risk #2587

Closed openhpi2 closed 8 years ago

openhpi2 commented 9 years ago

from openhpi/Makefile.am (line 134): $(mkinstalldirs) $(DESTDIR)$(VARPATH) chmod 777 $(DESTDIR)$(VARPATH)

An attacker could use the /var/lib/openhpi directory to fill up the storage hosting the /var/lib/ directory if quotas are not properly set.

If you have the /var/lib/openhpi dir already on your system, no modifications are made. So you need to delete it before trying installing again to reproduce the issue.

The attached patch fix the dir permissions on creation.

Reported by: rdossant

openhpi2 commented 9 years ago

Original comment by: dr_mohan

openhpi2 commented 9 years ago

Thanks Rafael for filing the bug and supplying the patch.

Original comment by: dr_mohan

openhpi2 commented 9 years ago

Original comment by: dr_mohan

openhpi2 commented 9 years ago

Fixed with checkin #7638

Original comment by: dr_mohan