multipath-tools: World-writeable socket — GLSA 201006-10

multipath-tools does not set correct permissions on the socket file, making it possible to send arbitrary commands to the multipath daemon for local users.

Affected Packages

sys-fs/multipath-tools on all architectures
Affected versions < 0.4.8-r1
Unaffected versions >= 0.4.8-r1

Background

multipath-tools are used to drive the Device Mapper multipathing driver.

Description

multipath-tools uses world-writable permissions for the socket file (/var/run/multipathd.sock).

Impact

Local users could send arbitrary commands to the multipath daemon, causing cluster failures and data loss.

Workaround

chmod o-rwx /var/run/multipath.sock

Resolution

All multipath-tools users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.4.8-r1"

NOTE: This is a legacy GLSA. Updates for all affected architectures are available since November 13, 2009. It is likely that your system is already no longer affected by this issue.

References

Release Date
June 01, 2010

Latest Revision
June 01, 2010: 01

Severity
normal

Exploitable
local

Bugzilla entries