[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

On 18:42 Wed 13 Aug     , Brian May wrote:
> Dmitry E. Oboukhov wrote:
>> qemu makes mount the directory /tmp/mount.$$. Attacker creates many
>> symlinks /tmp/dir.\d+ -> /etc and if qemu
>> (/usr/sbin/qemu-make-debian-root) starts then /etc goes
>> out from root directory tree. The result: system is unusable.
> I might be dense, but I don't get this.

> Attacker does:

> root@andean:/tmp# ln -s /etc /tmp/mount-1234

> Then the genuine user does:

> root@andean:/tmp# mkdir /tmp/mount-1234
> mkdir: cannot create directory `/tmp/mount-1234': File exists

> strace shows:
> mkdir("/tmp/pmount-1234", 0777)         = -1 EEXIST (File exists)

> So, ok, this means the process can't continue any more (denial of
> service attack), and if the process does continue this is a problem,
> otherwise I can't see how this would bring the entire system down.

> Brian May

yes, set -e directive is present in this script :)

of cource
the report is  needed to be verified by hand
for make separate by severity levels :)

I'll added few directives for check verifying scripts for 'set -e' :)

... mpd is off

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

Attachment: signature.asc
Description: Digital signature

Reply to: