From mboxrd@z Thu Jan 1 00:00:00 1970 From: Fumitoshi UKAI Date: Tue, 19 Mar 2002 01:39:32 +0000 Subject: Forward: Bug#138975: hotplug: /tmp symlink vulnerability MIME-Version: 1 Content-Type: multipart/mixed; boundary="Multipart_Tue_Mar_19_10:39:32_2002-1" Message-Id: List-Id: To: linux-hotplug@vger.kernel.org --Multipart_Tue_Mar_19_10:39:32_2002-1 Content-Type: text/plain; charset=US-ASCII Hi, I received the following bug report. It actually create any files on tye system by dangling symlinking in /tmp/test. (touch follows symlinks). Anyway as report said, I think it's better to touch /tmp itself instead of touch /tmp/test.$$ and remove it. If directory is writable, touch the directory will be success, otherwise touch will be failed. How about this ? Index: etc/hotplug/ieee1394.agent =================================================================== RCS file: /cvsroot/linux-hotplug/admin/etc/hotplug/ieee1394.agent,v retrieving revision 1.3 diff -u -u -r1.3 ieee1394.agent --- etc/hotplug/ieee1394.agent 4 Jan 2002 18:39:49 -0000 1.3 +++ etc/hotplug/ieee1394.agent 19 Mar 2002 01:36:56 -0000 @@ -33,9 +33,9 @@ # if called too early in booting, things break # (bash creates tempfiles) -if touch /tmp/test.$$ >/dev/null 2>&1 +if touch /tmp >/dev/null 2>&1 then - rm -f /tmp/test.$$ + : ok else mesg Need writable /tmp ... exit 1 Regards, Fumitoshi UKAI --Multipart_Tue_Mar_19_10:39:32_2002-1 Content-Type: message/rfc822 X-Loop: owner@bugs.debian.org Subject: Bug#138975: hotplug: /tmp symlink vulnerability Reply-To: Zygo Blaxell , 138975@bugs.debian.org Resent-From: Zygo Blaxell Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: Fumitoshi UKAI , hotplug@packages.qa.debian.org Resent-Date: Mon, 18 Mar 2002 23:18:02 GMT Resent-Message-ID: X-Debian-PR-Message: report 138975 X-Debian-PR-Package: hotplug X-Debian-PR-Keywords: security From: Zygo Blaxell To: Debian Bug Tracking System X-Mailer: reportbug 1.48 Date: Mon, 18 Mar 2002 18:02:38 -0500 Message-Id: Delivered-To: submit@bugs.debian.org Resent-Sender: Debian BTS Package: hotplug Version: 0.0.20020114-5 Severity: normal File: /etc/hotplug/ieee1394.agent Tags: security Seen in /etc/hotplug/ieee1394.agent: if touch /tmp/test.$$ >/dev/null 2>&1 then rm -f /tmp/test.$$ else mesg Need writable /tmp ... exit 1 fi Not only does this follow symlinks when it executes as root, thereby allowing someone to create files all over the system, but it also removes innocent files created under /tmp whose names happen to coincide with the PID of the agent... A better approach would be to try to create a directory under /tmp. That won't work if the /tmp disk is full, but on the other hand not much is going to work in such a state anyway. An even better approach would be to try to touch /tmp itself--if that fails, you certainly won't be able to write files in subdirectories of /tmp. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux satsuki 2.4.18-pre7aa2-zb-p3-laptop #1 Sat Feb 9 17:03:54 EST 2002 i686 Locale: LANG=C, LC_CTYPE= Versions of packages hotplug depends on: ii debconf 1.0.26 Debian configuration management sy ii modutils 2.4.13-3 Linux module utilities. --Multipart_Tue_Mar_19_10:39:32_2002-1-- _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel