CVE-2004-0029

Vulnerability

Lotus Notes Domino 6.0.2 on Linux installs the configuration file /local/notesdata/notes.ini with world-writable permissions (rw-rw-rw-). The same insecure permissions apply to /opt/lotus/LPSilent.ini. The affected release is Domino 6.0.2 on the Linux platform. The file is owned by the notes user, but any local user can modify it without authentication. [1][2]

Exploitation

An attacker with local shell access can edit notes.ini to alter critical keys. For example, they can change CleanupScriptPath to point to a malicious script, or modify NotesProgram to a user-controlled directory and add a fake ServerTask binary (e.g., "router") that spawns a setuid shell. When the notes service restarts, the bogus task runs with the privileges of the notes user. [2]

Impact

A local attacker can gain the ability to read sensitive files, start or stop services, or execute arbitrary code as the notes user. This effectively elevates their privileges from an unprivileged local user to a service account with significant administrative control over the Domino server. [1][2]

Mitigation

The vendor has not released a public fix. The only mitigation is to manually correct the permissions on the affected files: chmod 644 /local/notesdata/notes.ini and chmod 644 /opt/lotus/LPSilent.ini, and ensure newly installed versions use restrictive permissions. This CVE is not listed on CISA’s Known Exploited Vulnerabilities catalog.