0001087: nessus scans don't work with bin/pfcmd setuid/setgid (which is the default) - PacketFence - BTS

Bug Tracking System

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

ID

Project

Category

View Status

Date Submitted

Last Update

0001087

PacketFence

scanning

public

2010-10-08 14:56

2011-10-24 20:24

Reporter

obilodeau

Assigned To

obilodeau

Priority

high

Severity

major

Reproducibility

sometimes

Status

closed

Resolution

fixed

Platform

OS

OS Version

Product Version

Target Version

3.0.0

Fixed in Version

3.0.0

Summary

0001087: nessus scans don't work with bin/pfcmd setuid/setgid (which is the default)

Description

doing stuff in the lab, we came up to this problem..

Here's the error:
-sh-3.2$ /usr/local/pf/bin/pfcmd schedule now 192.168.2.253
Insecure dependency in open while running setgid at
        /usr/local/pf/lib/pf/scan.pm line 77 (0000001)
    (F) You tried to do something that the tainting mechanism didn't like.
    The tainting mechanism is turned on when you're running setuid or
    setgid, or when you specify -T to turn it on explicitly. The
    tainting mechanism labels all data that's derived directly or indirectly
    from the user, who is considered to be unworthy of your trust. If any
    such data is used in a "dangerous" operation, you get this error. See
    perlsec for more information.

Uncaught exception from user code:
        Insecure dependency in open while running setgid at /usr/local/pf/lib/pf/scan.pm line 77.
at /usr/local/pf/lib/pf/scan.pm line 77
        pf::scan::runScan(192.168.2.253) called at /usr/local/pf/bin/pfcmd line 1367
        main::schedule() called at /usr/local/pf/bin/pfcmd line 247

Possible fixes:
- untaint / laundry variables to make perl happy
- have a separate CLI for it which doesn't require setuid/setgid
- re-architect the whole thing to drop setuid/setgid requirements
- sudo profiles?

Tags

No tags attached.

fixed in git revision

fixed in mtn revision

fd18daff77b97ab16edef499a8d0751cce5b54de

Relationships

related to

closed

check if bin/pfcmd is setuid on sanity_check

Notes
(0001885) obilodeau (reporter) 2011-02-25 13:54	remember to increase warning level to FATAL in pf::pfcmd::checkup::permissions() once this is fixed

(0002092) obilodeau (reporter) 2011-06-17 17:49	fixed by sanitizing / untainting the data in the path to a nessus scan

(0002093) obilodeau (reporter) 2011-06-17 17:49	Reminder sent to: fgaudreault You'll probably be glad to hear that this one is fixed.

(0002278) obilodeau (reporter) 2011-09-21 22:20	fix released in 3.0

Issue History
Date Modified	Username	Field	Change
2010-10-08 14:56	obilodeau	New Issue
2010-11-15 13:38	obilodeau	Relationship added	related to 0001116
2011-01-18 11:41	obilodeau	Target Version	=> 2.1.0
2011-02-25 13:40	obilodeau	Relationship added	related to 0001025
2011-02-25 13:54	obilodeau	Note Added: 0001885
2011-03-03 15:15	obilodeau	Target Version	2.1.0 => +1
2011-03-03 15:18	obilodeau	Target Version	+1 => +2
2011-03-03 15:42	obilodeau	Assigned To	=> obilodeau
2011-03-03 15:42	obilodeau	Severity	minor => major
2011-03-03 15:42	obilodeau	Status	new => confirmed
2011-03-03 15:42	obilodeau	Target Version	+2 => +1
2011-06-17 17:26	obilodeau	Description Updated
2011-06-17 17:49	obilodeau	mtn revision	=> fd18daff77b97ab16edef499a8d0751cce5b54de
2011-06-17 17:49	obilodeau	Note Added: 0002092
2011-06-17 17:49	obilodeau	Status	confirmed => resolved
2011-06-17 17:49	obilodeau	Fixed in Version	=> +1
2011-06-17 17:49	obilodeau	Resolution	open => fixed
2011-06-17 17:49	obilodeau	Note Added: 0002093
2011-09-21 22:20	obilodeau	Fixed in Version	+1 => 3.0.0
2011-09-21 22:20	obilodeau	Note Added: 0002278
2011-09-21 22:21	obilodeau	Status	resolved => closed
2011-10-24 20:24	obilodeau	Target Version	+1 => 3.0.0

Copyright © 2000 - 2012 MantisBT Group