/var/lib/openhpi world-writable imposes security risk

[openhpi2]

from openhpi/Makefile.am (line 134): $(mkinstalldirs) $(DESTDIR)$(VARPATH) chmod 777 $(DESTDIR)$(VARPATH)

An attacker could use the /var/lib/openhpi directory to fill up the storage hosting the /var/lib/ directory if quotas are not properly set.

If you have the /var/lib/openhpi dir already on your system, no modifications are made. So you need to delete it before trying installing again to reproduce the issue.

The attached patch fix the dir permissions on creation.

Attachment: varlib_not_world_writable.patch.txt

Reported by: rdossant

[openhpi2]

• labels: --> Build System, OpenHPI Daemon
• assigned_to: dr_mohan
• Subsystem: OpenHPI Daemon --> Build System

Original comment by: dr_mohan

[openhpi2]

Thanks Rafael for filing the bug and supplying the patch.

Original comment by: dr_mohan

[openhpi2]

• status: open --> closed-fixed

Original comment by: dr_mohan

[openhpi2]

Fixed with checkin #7638

Original comment by: dr_mohan