iDEFENSE Intelligence Operations discovered security issues in improper file and directory permissions during an audit of Astaro AG's Astaro Linux. Astaro Linux designates a number of files and directories as world writeable that should probably not be. This, combined with other more serious flaws, could potentially result in system compromise or denial of service.
Astaro AG bills its Linux packages as "Security Linux."
Analysis: World writeable files and directories are dangerous because any user on the system, even one running in a restricted account such as "nobody" can access the files, write to them, and potentially delete them. World writeable directories can be especially dangerous when they are used to store files covertly. Any directories and files contained within the world writeable directory can potentially be modified.
Several sensitive configuration files and directories are world writeable, meaning an attacker with any level of access to the root file system could cause damage or subvert the services/applications relying on those files.
The following files are world writeable: • /etc/protocols • /etc/ssh/ssh_host_dsa_key.pub • /etc/ssh/ssh_host_key.pub
It is unknown whether or not the following files need to be world writeable for the system to function properly, but it appears safe to remove the world writeable attribute:
• /etc/up2date/latest_md5sum • /wtc/wfe/conf/console • /wtc/wfe/conf/nameserver • /wtc/wfe/conf/netzkartendata • /var/log/account/timestamp
Astaro Linux also contains a number of world writeable directories: • /var • /etc/up2date/lib1 • /etc/up2date/lib2
In general, the /var directory should not be world writeable on any *nix system since by filling up the associated partition, an attacker may prevent log files from being written to hide his activity.
Detection: Finding world writeable files and directories is easy, simply use the "find" command:
find / -type d -perm +002 find / -type f -perm +002
These commands will list all world writeable directories and files respectively. Some of the directories, such as /tmp, are meant to be world writeable, and leaving them as such is relatively safe.
Workaround: Removing the world writeable bit on the files can be accomplished using chmod:
chmod o-w filename
This will work for both files and directories.
Vendor Response: Markus Hennig of Astaro <firstname.lastname@example.org> promptly confirmed the incorrect file permissions and worked with us responsibly to resolve these issues. The latest Up2Date 2.022 fixes the file permissions, which is now currently available on Astaro Up2Date servers.
David Endler, CISSP Director, iDEFENSE Labs 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071