CSF 2.67 - init scripts potential for bad user and group ownership permissions



DESCRIPTION


If ConfigServer Firewall 2.67 is downloaded and unpacked as an unprivileged user (vice grabbing it via wget as root), its init scripts will have the uid and gid of the user that unpacked the tarball.



IMPACT


In the event that the account that unpacked the csf tarball should be compromised, the csf and lfd init scripts can be trojaned. This could lead to a complete server compromise since the init scripts are run as root.


[user@host ~]$ wget http://configserver.com/free/csf.tgz
[user@host ~]$ tar zxf csf.tgz
[user@host ~]$ cd csf
[user@host ~/csf]$ /bin/su # or /bin/su -
Password:
[root@host /home/user/csf]# sh install.sh


Now observe the user and group ownership of the init scripts:

[user@host ~]$  ls -l /etc/init.d/{lfd,csf}
-rwx------ 1 user user 1150 Oct 17  2006 /etc/init.d/csf
-rwx------ 1 user user 1211 Oct 17  2006 /etc/init.d/lfd