* Forward: Bug#138975: hotplug: /tmp symlink vulnerability
@ 2002-03-19 1:39 Fumitoshi UKAI
2002-03-19 1:51 ` David Brownell
2002-03-19 16:51 ` Fumitoshi UKAI
0 siblings, 2 replies; 3+ messages in thread
From: Fumitoshi UKAI @ 2002-03-19 1:39 UTC (permalink / raw)
To: linux-hotplug
[-- Attachment #1: Type: text/plain, Size: 999 bytes --]
Hi,
I received the following bug report.
It actually create any files on tye system by dangling symlinking
in /tmp/test.<number> (touch follows symlinks).
Anyway as report said, I think it's better to touch /tmp itself
instead of touch /tmp/test.$$ and remove it.
If directory is writable, touch the directory will be success, otherwise
touch will be failed.
How about this ?
Index: etc/hotplug/ieee1394.agent
===================================================================
RCS file: /cvsroot/linux-hotplug/admin/etc/hotplug/ieee1394.agent,v
retrieving revision 1.3
diff -u -u -r1.3 ieee1394.agent
--- etc/hotplug/ieee1394.agent 4 Jan 2002 18:39:49 -0000 1.3
+++ etc/hotplug/ieee1394.agent 19 Mar 2002 01:36:56 -0000
@@ -33,9 +33,9 @@
# if called too early in booting, things break
# (bash creates tempfiles)
-if touch /tmp/test.$$ >/dev/null 2>&1
+if touch /tmp >/dev/null 2>&1
then
- rm -f /tmp/test.$$
+ : ok
else
mesg Need writable /tmp ...
exit 1
Regards,
Fumitoshi UKAI
[-- Attachment #2: Type: message/rfc822, Size: 2077 bytes --]
From: Zygo Blaxell <zblaxell@feedme.hungrycats.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#138975: hotplug: /tmp symlink vulnerability
Date: Mon, 18 Mar 2002 18:02:38 -0500
Message-ID: <E16n69G-00034f-00@satsuki.furryterror.org>
Package: hotplug
Version: 0.0.20020114-5
Severity: normal
File: /etc/hotplug/ieee1394.agent
Tags: security
Seen in /etc/hotplug/ieee1394.agent:
if touch /tmp/test.$$ >/dev/null 2>&1
then
rm -f /tmp/test.$$
else
mesg Need writable /tmp ...
exit 1
fi
Not only does this follow symlinks when it executes as root, thereby allowing someone
to create files all over the system, but it also removes innocent files created
under /tmp whose names happen to coincide with the PID of the agent...
A better approach would be to try to create a directory under /tmp.
That won't work if the /tmp disk is full, but on the other hand not much is
going to work in such a state anyway.
An even better approach would be to try to touch /tmp itself--if that
fails, you certainly won't be able to write files in subdirectories
of /tmp.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux satsuki 2.4.18-pre7aa2-zb-p3-laptop #1 Sat Feb 9 17:03:54 EST 2002 i686
Locale: LANG=C, LC_CTYPE=
Versions of packages hotplug depends on:
ii debconf 1.0.26 Debian configuration management sy
ii modutils 2.4.13-3 Linux module utilities.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Forward: Bug#138975: hotplug: /tmp symlink vulnerability
2002-03-19 1:39 Forward: Bug#138975: hotplug: /tmp symlink vulnerability Fumitoshi UKAI
@ 2002-03-19 1:51 ` David Brownell
2002-03-19 16:51 ` Fumitoshi UKAI
1 sibling, 0 replies; 3+ messages in thread
From: David Brownell @ 2002-03-19 1:51 UTC (permalink / raw)
To: linux-hotplug
Looks right to me, except that some other agent
scripts had the same general need for writable /tmp
so maybe a more generic fix, done once, would be]
a better way to go.
- Dave
----- Original Message -----
From: "Fumitoshi UKAI" <ukai@debian.or.jp>
To: <linux-hotplug-devel@lists.sourceforge.net>
Sent: Monday, March 18, 2002 5:39 PM
Subject: Forward: Bug#138975: hotplug: /tmp symlink vulnerability
> Hi,
>
> I received the following bug report.
> It actually create any files on tye system by dangling symlinking
> in /tmp/test.<number> (touch follows symlinks).
>
> Anyway as report said, I think it's better to touch /tmp itself
> instead of touch /tmp/test.$$ and remove it.
> If directory is writable, touch the directory will be success, otherwise
> touch will be failed.
>
> How about this ?
>
> Index: etc/hotplug/ieee1394.agent
> =================================> RCS file: /cvsroot/linux-hotplug/admin/etc/hotplug/ieee1394.agent,v
> retrieving revision 1.3
> diff -u -u -r1.3 ieee1394.agent
> --- etc/hotplug/ieee1394.agent 4 Jan 2002 18:39:49 -0000 1.3
> +++ etc/hotplug/ieee1394.agent 19 Mar 2002 01:36:56 -0000
> @@ -33,9 +33,9 @@
>
> # if called too early in booting, things break
> # (bash creates tempfiles)
> -if touch /tmp/test.$$ >/dev/null 2>&1
> +if touch /tmp >/dev/null 2>&1
> then
> - rm -f /tmp/test.$$
> + : ok
> else
> mesg Need writable /tmp ...
> exit 1
>
> Regards,
> Fumitoshi UKAI
>
>
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Forward: Bug#138975: hotplug: /tmp symlink vulnerability
2002-03-19 1:39 Forward: Bug#138975: hotplug: /tmp symlink vulnerability Fumitoshi UKAI
2002-03-19 1:51 ` David Brownell
@ 2002-03-19 16:51 ` Fumitoshi UKAI
1 sibling, 0 replies; 3+ messages in thread
From: Fumitoshi UKAI @ 2002-03-19 16:51 UTC (permalink / raw)
To: linux-hotplug
At Mon, 18 Mar 2002 17:51:17 -0800,
David Brownell wrote:
> Looks right to me, except that some other agent
> scripts had the same general need for writable /tmp
> so maybe a more generic fix, done once, would be]
> a better way to go.
I committed this patch.
But I can't find any reason why this check is in ieee1394.agent only.
Which part of ieee1394.agent requires /tmp is writable?
Doesn't other agent need to check as well?
Regards,
Fumitoshi UKAI
> ----- Original Message -----
> From: "Fumitoshi UKAI" <ukai@debian.or.jp>
> To: <linux-hotplug-devel@lists.sourceforge.net>
> Sent: Monday, March 18, 2002 5:39 PM
> Subject: Forward: Bug#138975: hotplug: /tmp symlink vulnerability
>
>
> > Hi,
> >
> > I received the following bug report.
> > It actually create any files on tye system by dangling symlinking
> > in /tmp/test.<number> (touch follows symlinks).
> >
> > Anyway as report said, I think it's better to touch /tmp itself
> > instead of touch /tmp/test.$$ and remove it.
> > If directory is writable, touch the directory will be success, otherwise
> > touch will be failed.
> >
> > How about this ?
> >
> > Index: etc/hotplug/ieee1394.agent
> > =================================> > RCS file: /cvsroot/linux-hotplug/admin/etc/hotplug/ieee1394.agent,v
> > retrieving revision 1.3
> > diff -u -u -r1.3 ieee1394.agent
> > --- etc/hotplug/ieee1394.agent 4 Jan 2002 18:39:49 -0000 1.3
> > +++ etc/hotplug/ieee1394.agent 19 Mar 2002 01:36:56 -0000
> > @@ -33,9 +33,9 @@
> >
> > # if called too early in booting, things break
> > # (bash creates tempfiles)
> > -if touch /tmp/test.$$ >/dev/null 2>&1
> > +if touch /tmp >/dev/null 2>&1
> > then
> > - rm -f /tmp/test.$$
> > + : ok
> > else
> > mesg Need writable /tmp ...
> > exit 1
> >
> > Regards,
> > Fumitoshi UKAI
> >
> >
>
>
> _______________________________________________
> Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
> Linux-hotplug-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
>
>
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-03-19 16:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-03-19 1:39 Forward: Bug#138975: hotplug: /tmp symlink vulnerability Fumitoshi UKAI
2002-03-19 1:51 ` David Brownell
2002-03-19 16:51 ` Fumitoshi UKAI
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).