[Pkg-net-snmp-devel] Bug#520724: snmpd: fails to set the group (gid), this will be a security problem in some configurations
Russell Coker
russell at coker.com.au
Sun Mar 22 11:45:27 UTC 2009
Package: snmpd
Version: 5.4.1~dfsg-12
Severity: grave
Tags: security
Justification: user security hole
The following output of "ps" shows that the group is "root":
ps -eo pid,user,euser,suser,fuser,group,egroup,sgroup,fgroup,comm|head -1 ; ps -eo pid,user,euser,suser,fuser,group,egroup,sgroup,fgroup,comm|grep snmp
PID USER EUSER SUSER FUSER GROUP EGROUP SGROUP FGROUP COMMAND
4503 snmp snmp snmp snmp root root root root snmpd
This means that it can write to /dev/mapper/control, /dev/kmsg, and
/dev/xen/evtchn, as well as probably some files and directories that are
created by the sysadmin. If for example the /root directory had more 0770
then this would permit the snmpd to take over the root account.
While it would require that the snmpd be compromised to take advantage of this,
I believe that it's a security flaw to run code with GID 0 when there is no
need for it.
More information about the Pkg-net-snmp-devel
mailing list