[tor-bugs] #2694 [Tor bundles/installation]: Local privilege escalation vulnerability in our rpms
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Mar 9 22:54:15 UTC 2011
#2694: Local privilege escalation vulnerability in our rpms
--------------------------------------+-------------------------------------
Reporter: arma | Owner: erinn
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
In tor.spec.in we do
{{{
# Older tor RPMS used a different username for the tor daemon.
# Make sure the runtime data have the right ownership.
%__chown -R %{toruser}.%{torgroup} %{_localstatedir}/{lib,log,run}/%{name}
}}}
That -R will let an attacker who gets control of the _tor user get control
of other files on the system.
The fix is to remove the -R from that line.
The downside is that we won't actually get the smooth upgrade that the
comment implies. I wonder if these "older Tor rpms" still exist?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2694>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list