Bugzilla – Bug 372070
AUDIT-0: CVE-2009-1142: open-vm-tools: suid binary
Last modified: 2017-08-02 15:10:57 UTC
I created new package open-vm-tools. These are tools that could be installed when openSUSE is running in VMware. It contains one binary that should be packaged as suid root. If it is not, only root on guest system can access Shared files from host system.
-rwsr-xr-x 1 root root 43124 Mar 18 15:44 /usr/sbin/mount.vmhgfs
file /usr/sbin/mount.vmhgfs is packaged with suid/sgid permissions
but is not listed in any of /etc/permissions*
please contact security team
its likely to be placed in /sbin if it is a mount helper binary.
what filesystem is this?
This filesystem allows to share files between host OS and guest OS installed in VMware.
Any news? Package is now submitted to STABLE and is failing because of this. I will move binary to /sbin if you want.
the package is not prepared for handling setiud binaries. Please have a look at the packaging howto. It describes how %verifyscript, attributes etc should look like. Also don't package the binary with setuid bit set by default, the package will build then.
I submitted new package hopefully with the right use of permission scripts.
Almost :-) %verifyscript is a tag of it's own just like %post. You've mixed %post and %verifyscript:
%verify_permissions -e /sbin/mount.vmhgfs
That means that ldconfig and fillup are called when you run rpm -V rather than in %post. See also
$ rpm -qp --scripts /work/CDs/all/full-i386/suse/i586/open-vm-tools.rpm
Submitted again :)
Is a code review still needed here?
Thomas: Yes, please.
It is dir hgfsmounter/ right?
Yes... checked Makefile.am ;)
main() is vulnerable to a race condition as it seems and mount() would use an arbitrary traget dir.
mntRes = mount(shareName, mountPoint, HGFS_NAME, flags, &mountInfo); // XXX tom: mountPoint can be replaced after checks above are passed!
So, NO setuid root flag for this one.
Thomas: is issue mentioned in comment #12 the only issue blocking the setuid bit ?
Yes... so far I did not find anything more.
can you forward this issue to Dimitry too please.
Sorry, I forgot to paste the reply from Dmitry on this one:
> main() is vulnerable to a race condition as it seems and mount() would use
> an arbitrary traget dir.
> mntRes = mount(shareName, mountPoint, HGFS_NAME, flags, &mountInfo); //
> XXX tom: mountPoint can be replaced after checks above are passed!
> It would be great if those concerns could be addressed at an earliest
> convenience so that openSUSE (and most likely also other distributions with
> similar rules) can ship open-vm-tools with setuid properly set.
Hmm, we don't install vmware-hgfsmounter (AKA mount.vmhgfs) as suid root,
hgfs is being mounted by a init.d script and so works fine without it.
I will try to find out why we recommend packaging it with suid root on
Because it does not really need setuid I'll close this bug.