Page MenuHomeVyOS Platform

improper pid file handling of webgui
Closed, ResolvedPublicBUG


since the webgui is suid root, any unprivileged user (however they might get onto the system) might arbitrarily overwrite any file:

frr@fw0:~$ /usr/lib/cgi-bin-webgui -i /etc/resolv.conf
frr@fw0:~$ cat /etc/resolv.conf

don't know if that could be exploited to gain admin rights, but at least could hose the system.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

buzzdeee changed the visibility from "Public (No Login Required)" to "All Users".Nov 14 2018, 10:38 AM
syncer changed the visibility from "All Users" to "Public (No Login Required)".
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux.
syncer added subscribers: dmbaturin, syncer.

@dmbaturin please remove all related

syncer raised the priority of this task from Low to Normal.
syncer added a subscriber: hagbard.

@hagbard we need to remove all old stuff including lightttpd
we going to replace it with nginx as per T808

hagbard changed the task status from Open to In progress.Feb 8 2019, 7:36 PM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin set Issue type to Unspecified (please specify).