Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

multiple /tmp file vulnerabilities #48

Closed
linuxmaniac opened this issue Jan 20, 2015 · 13 comments

Comments

Projects
None yet
7 participants
@linuxmaniac
Copy link
Member

commented Jan 20, 2015

Reported by: Helmut Grohne helmut@subdivi.de

The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which
can be selected via the CFGFILE= setting in /etc/default/kamailio. The
configuration contains:

modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo")

This setting is insecure and may allow local users to elevate privileges
to the kamailio user.

The issue extends to kamailio-advanced.cfg. It seems that this is due to
an incomplete fix of #712083. Looking further, the state of /tmp file
vulnerabilities in kamailio looks worrisome. Most of the results of the
following command (to be executed in the kamailio source) are likely
vulnerable if executed:

grep '/tmp/[a-z0-9_.-]\+\(\$\$\)\?\([" ]\|$\)' -r .

Granted, some of the results are examples, documentation or obsolete.
But quite a few reach the default settings:

  • kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
  • The kamailio build definitely is vulnerable as can be seen in
    utils/kamctl/Makefile.

More research clearly is required here. Given these findings, the
security team may want to veto the inclusion of kamailio in a stable
release, which would be very unfortunate as kamailio is quite a unique
piece of software with little competitors in its field.

Helmut

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775681

@linuxmaniac linuxmaniac added the 4.2 label Jan 20, 2015

@miconda

This comment has been minimized.

Copy link
Member

commented Jan 20, 2015

I think this can be fixed by setting user/group for fifo/ctl-socket files. Each of these modules have afferent parameter. Would that work?

@linuxmaniac

This comment has been minimized.

Copy link
Member Author

commented Jan 24, 2015

Changes I'm planning to do in the Debian packaging:

kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.

I'm going to change the default of ctl module to /var/run/kamailio/kamailio_ctl so kamcmd will use it by default and I'm going to set explicitly the binrpc parameter on the etc/kamailio/*.cfg files

The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile.

I'm going to use basedir Makefile config instead of /tmp

@oej

This comment has been minimized.

Copy link
Member

commented Jan 24, 2015

On 24 Jan 2015, at 13:20, Victor Seva notifications@github.com wrote:

Changes I'm planning to do in the Debian packaging:

kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.

I'm going to change the default of ctl module to /var/run/kamailio/kamailio_ctl so kamcmd will use it by default and I'm going to set explicitly the binrpc parameter on the etc/kamailio/*.cfg files

The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile.

I'm going to use basedir Makefile config instead of /tmp

Is there a reason for not changing the Kamailio defaults?

/O

@linuxmaniac

This comment has been minimized.

Copy link
Member Author

commented Jan 24, 2015

Is there a reason for not changing the Kamailio defaults?

And point them where? /var/run/kamailio is Debian specific not all OSes use that.

@oej

This comment has been minimized.

Copy link
Member

commented Jan 24, 2015

On 24 Jan 2015, at 17:18, Victor Seva notifications@github.com wrote:

Is there a reason for not changing the Kamailio defaults?

And point them where? /var/run/kamailio is Debian specific not all OSes use that.

My OS/X has /var/run with various sockets.
My Centos servers has /var/run with various pid-files
One of my FreebSD systems has /var/run

I think it works for all of these.

/O

@thijskh

This comment has been minimized.

Copy link

commented Jan 26, 2015

/var/run is not Debian specific but in the Filesystem Hierarchy Standard; so a safe default to choose which should have wide support.

@sipidronov

This comment has been minimized.

Copy link
Contributor

commented Jan 26, 2015

Why not default to kamailio working directory? Not the nicest way, but should work on most of setups.

@oej

This comment has been minimized.

Copy link
Member

commented Jan 26, 2015

I would say follow generic standards and place the files in /var/run by default. We should behave as other servers in a system whenever possible.

@miconda

This comment has been minimized.

Copy link
Member

commented Jan 26, 2015

If /var/run is common to all major Linuxes and *BSDes, it can be used. But some of those Linuxes are using application name folder inside /var/run, so that doesn't seem to be standard - e.g., Debian is using /var/run/kamailio/... for PID.

Also, when installing with a PREFIX, perhaps this has to be taken in cosideration and have $PREFIX/var/run

linuxmaniac added a commit to linuxmaniac/kamailio that referenced this issue Jan 28, 2015

utils/kamctl: use $(basedir) as tmp dir on building instead of insecu…
…re /tmp

Reported by: Helmut Grohne <helmut@subdivi.de> See kamailio#48
@linuxmaniac

This comment has been minimized.

Copy link
Member Author

commented Jan 29, 2015

JFTR I've just uploaded 4.2.0-2 to Debian and It has been unblocked by the Release Manager Team. So it will finally land jessie

@linuxmaniac

This comment has been minimized.

Copy link
Member Author

commented Jan 29, 2015

@thijskh I said '/var/run/kamailio' is Debian specific
@miconda now as 4.2.0-2 '/var/run/kamailio' is used for PID, kamailio_ctl and kamailio_fifo by default
and yes I think $PREFIX/var/run should be honored

@amessina

This comment has been minimized.

Copy link
Contributor

commented Jan 29, 2015

I'm glad to see work in this direction. I've been using this patch for Fedora 20, 21 & EL7 RPMs to move things from /tmp to /run/kamailio. I'm sure it's not complete, but it's worked well so far.

@kamailio-sync

This comment has been minimized.

Copy link

commented Jan 30, 2015

Many thanks Victor for pursuing this and getting it pushed to Debian.

Perhaps we can made the default to /var/run/ instead of /tmp/, with Debian
using /var/run/kamailio/.

At the end, I am happy to make it directly defaulting to
/var/run/kamailio/. If other OSes have /var/run/ then I guess they are
happy creating a new folder in there as well, not just placing new
pid/socket/fifo files.

On Fri, Jan 30, 2015 at 12:34 AM, Anthony Messina notifications@github.com
wrote:

I'm glad to see work in this direction. I've been using this patch
https://messinet.com/rpms/browser/kamailio/kamailio-ctl-fifo-pid.patch
for Fedora 20, 21 & EL7 RPMs to move things from /tmp to /run/kamailio.
I'm sure it's not complete, but it's worked well so far.


Reply to this email directly or view it on GitHub
#48 (comment).


sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/micond
http://www.linkedin.com/in/miconda

linuxmaniac added a commit that referenced this issue Apr 16, 2015

Merge pull request #89 from linuxmaniac/vseva/defaults
set defaults of fifo and ctl to /var/run/kamailio

Closes: #48
Closes: #89
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.