| < remctl 2.5 | Russ Allbery > Eagle's Path > February 2007 | First 2007 haul > |
Well, sooner or later since I started being more public about remctl there was going to be some obvious and embarassing security vulnerability.
In testing new stanford-server Debian packages this evening and deploying a new remctl backend feature, I discovered that if the ACL file referred to by a configuration line doesn't exist, the command is accepted. Non-existent files and other read errors are treated as success. Worse, I have no idea how I managed to write the code that does this. The fix is a one-line patch, replacing a test that makes no sense with the obviously correct one.
This bug has been around since at least 2.0, and probably since 1.11 when include files for ACLs were first supported. Now, at least, this is tested explicitly in the test suite.
You can get the latest version from the remctl distribution page. Obviously, I would encourage everyone to upgrade, as this problem is something of a ticking time bomb. Having an ACL not be readable or not exist is a very easy mistake to make.
Posted: 2007-02-03 23:55 — Why no comments?
| < remctl 2.5 | Russ Allbery > Eagle's Path > February 2007 | First 2007 haul > |