APCupsd is a daemon for controlling most of APC's UPS models on Unix and Windows machines. The Unix daemon runs as root and shuts the machine down in case of a power failure. A security vulnerability allows local users to cause the daemon to kill services other than the daemon itself.
Credit:
The information has been provided by Mattias Dartsch.
Vulnerable systems:
apcupsd version 3.7.2 and prior
Immune systems:
apcupsd version 3.8.0 and above
During startup, apcupsd creates a PID-file named "apcupsd.pid" in /var/run (system specific, maybe other directory) with the ID of the daemon process, this PID-file is used by the shutdown-script to kill the daemon process.
Unfortunately, this PID-file is world-writeable (Mode 666, -rw-rw-rw). A malicious user can overwrite the file with arbitrary process ID's, these processes will be killed instead of the apcupsd process during restart or stop of the apcupsd daemon and during system shutdown or restart, the whole system can be crashed this way.
Solution:
Upgrade to apcupsd version 3.8.0.
Workaround:
User's who don't want to upgrade can add two lines to the "start" section in the apcupsd startup script in /etc/rc.d or /sbin/init.d :
# give the daemon some little time to create the PID-file
sleep 1
#now simply chmod the PID-file to Mode 644
chmod 644 /var/run/apcupsd.pid
echo -e "$return"
;;
---end---
Mandrake
Linux Mandrake has released updated apcupsd packages.
You can download the updates directly from one of the mirror sites listed at: http://www.linux-mandrake.com/en/ftp.php3.
If you want to upgrade manually, download the updated package from one
of the FTP server mirrors and upgrade with:
$ rpm -Fvh *.rpm
