From: Fumitoshi UKAI <ukai@debian.or.jp>
To: linux-hotplug@vger.kernel.org
Subject: Forward: Bug#138975: hotplug: /tmp symlink vulnerability
Date: Tue, 19 Mar 2002 01:39:32 +0000 [thread overview]
Message-ID: <marc-linux-hotplug-101650225509574@msgid-missing> (raw)
[-- Attachment #1: Type: text/plain, Size: 999 bytes --]
Hi,
I received the following bug report.
It actually create any files on tye system by dangling symlinking
in /tmp/test.<number> (touch follows symlinks).
Anyway as report said, I think it's better to touch /tmp itself
instead of touch /tmp/test.$$ and remove it.
If directory is writable, touch the directory will be success, otherwise
touch will be failed.
How about this ?
Index: etc/hotplug/ieee1394.agent
===================================================================
RCS file: /cvsroot/linux-hotplug/admin/etc/hotplug/ieee1394.agent,v
retrieving revision 1.3
diff -u -u -r1.3 ieee1394.agent
--- etc/hotplug/ieee1394.agent 4 Jan 2002 18:39:49 -0000 1.3
+++ etc/hotplug/ieee1394.agent 19 Mar 2002 01:36:56 -0000
@@ -33,9 +33,9 @@
# if called too early in booting, things break
# (bash creates tempfiles)
-if touch /tmp/test.$$ >/dev/null 2>&1
+if touch /tmp >/dev/null 2>&1
then
- rm -f /tmp/test.$$
+ : ok
else
mesg Need writable /tmp ...
exit 1
Regards,
Fumitoshi UKAI
[-- Attachment #2: Type: message/rfc822, Size: 2077 bytes --]
From: Zygo Blaxell <zblaxell@feedme.hungrycats.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#138975: hotplug: /tmp symlink vulnerability
Date: Mon, 18 Mar 2002 18:02:38 -0500
Message-ID: <E16n69G-00034f-00@satsuki.furryterror.org>
Package: hotplug
Version: 0.0.20020114-5
Severity: normal
File: /etc/hotplug/ieee1394.agent
Tags: security
Seen in /etc/hotplug/ieee1394.agent:
if touch /tmp/test.$$ >/dev/null 2>&1
then
rm -f /tmp/test.$$
else
mesg Need writable /tmp ...
exit 1
fi
Not only does this follow symlinks when it executes as root, thereby allowing someone
to create files all over the system, but it also removes innocent files created
under /tmp whose names happen to coincide with the PID of the agent...
A better approach would be to try to create a directory under /tmp.
That won't work if the /tmp disk is full, but on the other hand not much is
going to work in such a state anyway.
An even better approach would be to try to touch /tmp itself--if that
fails, you certainly won't be able to write files in subdirectories
of /tmp.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux satsuki 2.4.18-pre7aa2-zb-p3-laptop #1 Sat Feb 9 17:03:54 EST 2002 i686
Locale: LANG=C, LC_CTYPE=
Versions of packages hotplug depends on:
ii debconf 1.0.26 Debian configuration management sy
ii modutils 2.4.13-3 Linux module utilities.
next reply other threads:[~2002-03-19 1:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-03-19 1:39 Fumitoshi UKAI [this message]
2002-03-19 1:51 ` Forward: Bug#138975: hotplug: /tmp symlink vulnerability David Brownell
2002-03-19 16:51 ` Fumitoshi UKAI
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-linux-hotplug-101650225509574@msgid-missing \
--to=ukai@debian.or.jp \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).