remctl 2.6 released (SECURITY)

Russ Allbery rra at stanford.edu
Sun Feb 4 02:12:47 EST 2007


Well, this is embarassing.  In testing this evening, I discovered that
there is a logic bug in the ACL checking in remctl that caused a missing
ACL file to be interpreted as successful authorization rather than
failure.  In other words, if in your configuration you protected a command
with an ACL file that didn't exist (even if multiple ACL files were listed
and the others did exist), any authenticated user would have access to run
that command.

If all the ACL files exist, the ACL checking works properly, which is why
I'd not noticed this bug.  In addition to the logic bug, it was a coverage
flaw in the test suite, which has now been remedied.

This bug was probably introduced around remctl 1.11 when include support
in ACL files was added.

I've released version 2.6 of remctl to fix this problem.

Changes from previous release:

    SECURITY: If an ACL listed for a command didn't exist, the
    authorization check was treated as a success instead of a failure.
    This had, embarassingly, apparently been broken since at least 2.0.

You can download it from:

    <http://www.eyrie.org/~eagle/software/remctl/>

The version of remctl in Debian stable is not affected.  The version in
Debian testing is affected, and I will be uploading a minimal security fix
to Debian unstable later this evening.  You can also get 2.6 packages for
both Debian unstable/testing and Debian stable from my personal
repository.  See:

    <http://www.eyrie.org/~eagle/software/debian.html>

for more information.

Apologies for this.  It was a particularly stupid mistake on my part.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list