Bug#977877: console-setup: setupcon --setup-dir ... generates temporary file name inside etc/console-setup directory
Hi Anton,
Thanks for the feedback. You raise some valid concerns here.
I may have overlooked a simpler solution to the reproducibility problem I mentioned. I was wondering if we could copy the temporary file to /etc/console-setup with a constant name (in [1]). This does not tweak anything related to the temp file creation itself (either in /tmp or /run) but just rename the file when being copied to /etc/console-setup.
Since the /etc/console-setup is for anything related to the console-setup package, I feel it may be safe to assume that any other application / program would not create a file with the same name as we would use.
Would like to understand if I am overlooking something here?
[1] https://salsa.debian.org/installer-team/console-setup/-/blob/master/setupcon?ref_type=heads#L1258
________________________________________
From: Anton Zinoviev <anton@lml.bas.bg>
Sent: Friday, January 31, 2025 4:42 PM
To: balakumar adithya(TSIP TEUR); 977877@bugs.debian.org
Cc: dinesh kumar(TSIP TMIEC ODG Porting); kunijadar shivanand(TSIP TMIEC ODG Porting); ashrith sai(TSIP); hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4); yoshida toshiko(吉田 敏子 ○DITC□DIT○OST)
Subject: Re: Bug#977877: console-setup: setupcon --setup-dir ... generates temporary file name inside etc/console-setup directory
On Fri, Jan 31, 2025 at 09:03:26AM +0000, Adithya.Balakumar@toshiba-tsip.com wrote:
> >
> > This temporary file name changes across builds which causes
> > reproducibility issues.
All file names in /tmp have to be unpredictable or else this leads to
serious security problems.
> I am attaching a patch that attempts to fix the issue mentioned here.
> The attached patch attempts to solve this with a consistent suffix
> appended to the temporary filename.
There are at least two problems in this patch.
First, what if something has already created a file /tmp/tmpkbd.kbdfile
or /tmp/tmpkbd.kbd_linux or /tmp/tmpkbd.setupdir? Setupcon will fail.
Anything can make such a file. This can be a previous failed for some
reason run of setupcon, an user testing a new version of setupcon, a
user who intentionaly does a DOS attack.
Second, after you touch the temp file, it is imperative that you test
that the touched file is owned by the user executing the script and that
it is not a symlink. Otherwise, this can easily lead to the so called
symlink attack.
These are two problems that I can see. But even if these problems are
fixed, I would still feel uneasy about the patch. In the area of
security the people never say "the program runs ok in most environments,
so it is ok to release it". In the area of security the people don't
care whether the program runs ok or not. They care that the program is
safe even in the worst possible UNTHINKABLE environment.
The bottomline is that using "touch" to create a file in /run (with some
appropriate checks) is probably safe. If this fails, you can probably
try to create a file in in the home directory of the user running the
script (although this would be unmannerly behaviour). However, if you
have to create a file in /tmp, then this file has to be created using
"mktemp".
Anton Zinoviev
Reply to: