TUCoPS :: Unix :: General
:: ups4-2.htm
Apcupsd 3.7.2 Inappropriate Permissions
Vulnerability
apcupsd
Affected
apcupsd 3.7.2
Description
Mattias Dartsch found following. Apcupsd is a daemon for
controlling most of APC's UPS models on Unix and Windows machines.
The Unix daemon runs as root and shuts the machine down in case of
a power failure.
During startup apcupsd creates a PID-file named "apcupsd.pid" in
/var/run (system specific, maybe other directory) with the ID of
the daemon process, this PID-file is used by the shutdown-script
to kill the daemon process.
Unfortunatly this PID-file ist world-writeable (Mode 666,
-rw-rw-rw). A malicious user can overwrite the file with
arbitrary process ID's, these processes will be killed instead of
the apcupsd process during restart or stop of the apcupsd daemon
and during system shutdown or restart, the whole system can be
crashed this way.
Solution
Upgrade to apcupsd Version 3.8.0. It's available at:
http://www.sibbald.com/apcupsd/
http://www.oasi.gpa.it/riccardo/linux/apcupsd/
ftp://ftp.oasi.gpa.it/pub/apcupsd/
User's who don't want to upgrade can add two lines to the "start"
section in the apcupsd startup script in /etc/rc.d or
/sbin/init.d:
start)
rm -f /etc/apcupsd/powerfail
rm -f /etc/nologin
echo -n "Starting apcupsd power management"
$APCUPSD || return=$rc_failed
# give the daemon some little time to create the PID-file
sleep 1
#now simply chmod the PID-file to Mode 644
chmod 644 /var/run/apcupsd.pid
echo -e "$return"
;;
For Linux-Mandrake:
Linux-Mandrake 7.2: 7.2/RPMS/apcupsd-3.8.0-1.1mdk.i586.rpm
7.2/SRPMS/apcupsd-3.8.0-1.1mdk.src.rpm
The problem is a missing umask() in the main program code, this
was fixed in Version 3.8.0. The fix above was thought as a
temporary solution for people who DON'T want to upgrade or
recompile, they only have to alter the /etc/rc.d/apcupsd script.
Setting a umask in a /etc/rc.d script can lead to strange side
effects.