multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
Enterprise Server (SLES) 10 uses world-writable permissions for the
socket file (aka /var/run/multipathd.sock), which allows local users
to send arbitrary commands to the multipath daemon.
In 0.4.8-r1 (1.2) now, cleared for stable request (has some other fixes in it too).
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 x86"
Marked ppc stable.
GLSA vote: yes.
+1 vote as the maintainer. Anybody writing to the socket locally can cause SAN disks to go offline, potentially causing an entire OCFS2 cluster to fence/panic.
I've confirmed this problem exists in my production cluster. chmod o-rwx /var/run/multipath.sock works around it at runtime. But it's less then ideal.
Please fire off a GLSA for this to raise awareness.
GLSA request filed.