Gentoo Logo

multipath-tools: World-writeable socket

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 201006-10 / multipath-tools
Release Date June 01, 2010
Latest Revision June 01, 2010: 01
Impact normal
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
sys-fs/multipath-tools < 0.4.8-r1 >= 0.4.8-r1 All supported architectures

Related bugreports: #264564

Synopsis

multipath-tools does not set correct permissions on the socket file, making it possible to send arbitrary commands to the multipath daemon for local users.

2.  Impact Information

Background

multipath-tools are used to drive the Device Mapper multipathing driver.

Description

multipath-tools uses world-writable permissions for the socket file (/var/run/multipathd.sock).

Impact

Local users could send arbitrary commands to the multipath daemon, causing cluster failures and data loss.

3.  Resolution Information

Workaround

chmod o-rwx /var/run/multipath.sock

Resolution

All multipath-tools users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.4.8-r1"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since November 13, 2009. It is likely that your system is already no longer affected by this issue.

4.  References

Print

Page updated June 01, 2010

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.