[Nut-upsdev] Re: [nut-commits] svn commit r731

Arjen de Korte nut+devel at de-korte.org
Wed Jan 24 10:03:51 CET 2007


>> I don't see it as a security risk. Ditto for packet
>> filters. As I understand you, port ownership will affect whether
>> people connecting to that port can gain root access.
> err, no, not directly.
> opening the socket as root however leaves a window (until dropping
> privs) where a bug might allow remote attackers to gain root access,
> yes.

Since the privileges are dropped immediately after opening the sockets,
the chances are small that there is a usable attack window (in the latest
version in the trunk that is). Especially since this is a one-time
opportunity without any external trigger (restarting upsd) to reopen it.
So one would need to be hammering a system with attack packets
continuously in the hope that the server is restarted.

I don't think this is a viable attack vector, since by the time we start
to handle incoming packets, privileges are dropped anyway. What remains is
the socket ownership. I agree that opening the sockets as the upsd user is
probably better than as root, since there will be no surprises as to the
ownership of the socket and/or preferential treatment in case of memory
starvation.

Maybe we should just open the server sockets after dropping privileges and
allow people to override this behavior with a command line switch (I would
prefer to parse upsd.conf after dropping privileges too, so automatic
detection is not an option).

Best regards, Arjen




More information about the Nut-upsdev mailing list