Package: lintian
Tags: patch, security
Severity: wishlist
Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
he takes full access to the system (when twiki installs or
upgrades))
Hi all!
I wrote the check script for the lintian package. This additional check
verifies the debian packages for the presents of the discussed bug.
Notes and additions are welcome.
patch has been placed in attache
PS: X11 also uses the /tmp/.X11-unix directory, which may be used for
attacks, I don't known :(
but many scripts (in different packages) use /tmp/.X11-unix, if this is
not a security problem, may be I must add ignoring for this directory in
the lintian script?
I don't known yet :(
DEO> This message about the error concerns a few packages at once. I've
DEO> tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO> config scripts were tested.
DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.
DEO> For example if a script uses in its work a temp file which is created
DEO> in /tmp directory, then every user can create symlink with the same
DEO> name in this directory in order to destroy or rewrite some system
DEO> file.
DEO> I set Severity into grave for this bug. The table of discovered
DEO> problems is below.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
--- checks/symlink_attack 1970-01-01 03:00:00.000000000 +0300
+++ checks/symlink_attack 2008-08-19 23:11:44.000000000 +0400
@@ -0,0 +1,114 @@
+# symlink_attack -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2008 Dmitry E. Oboukhov <unera@debian.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+package Lintian::symlink_attack;
+use strict;
+use Tags;
+
+# check file
+#
+# the parameters:
+# 1. name of check file
+# 2. error template
+# 3. warning template
+sub check_file($$$)
+{
+ my ($file_name, $err_tmpl, $warn_tmpl)=@_;
+
+ open my $file, '<', $file_name
+ or die "Can not open file `$file_name': $!\n";
+
+ $file_name =~ s/^..// if $file_name =~ m{^\./};
+ $file_name =~ s{^debfiles/}{debian/};
+
+ # read begin of shebang
+ local $_;
+ return unless 10 == read $file, $_, 10;
+ return unless m{^#!\s*/};
+ seek $file, 0, 0;
+
+ $_ = <$file>;
+ return unless m{^#!\s*(?:/\S+){2,}};
+
+ # read all file content
+ # (remove comments, join backslash-ended string)
+ $_ = join '', map { s/#.*/\n/; s/\\$//; $_ } readline $file;
+
+ # errors
+ my $errors_found;
+ if (m{>\s*/tmp/} or m{(?:^|[|\s])tee\s+(?:-\S+\s+)*/tmp/}m)
+ {
+ $errors_found=1;
+ tag $err_tmpl, "$file_name (pipe)";
+ }
+
+ my @wh = m{(mount|mkdir|chown|chmod)\s[^;]*?/tmp/}g;
+ # remove dups
+ @wh = keys %{{ map {($_,0)} @wh }};
+ if (@wh)
+ {
+ $errors_found=1;
+ tag $err_tmpl, "$file_name ($_)" for @wh;
+ }
+
+ # warnings
+ unless ($errors_found)
+ {
+ tag $warn_tmpl, $file_name if m{\s+/tmp/};
+ }
+}
+
+
+sub run
+{
+ my ($package, $type)=(@_);
+
+ my @check_files;
+
+ # check maintainer scripts
+ if ($type eq 'source')
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))(?:\.in)?$/,
+ glob ('debfiles/*');
+ }
+ else
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))$/, glob ('control/*');
+ }
+ check_file $_ => 'maint-scripts-uses-tmp-err',
+ 'maint-scripts-uses-tmp-warn' for @check_files;
+
+ # check binary all files in the package
+ if ($type eq 'binary')
+ {
+ chdir 'unpacked';
+ open my $dir, '-|', 'find -type f -executable'
+ or die "Can not start find: $!";
+ while(<$dir>)
+ {
+ chomp;
+ check_file $_ => 'scripts-uses-tmp-err', 'scripts-uses-tmp-warn';
+ }
+ chdir '..';
+ }
+}
+
+1;
+
+# vim: syntax=perl ts=4 sw=4 expandtab
--- checks/symlink_attack.desc 1970-01-01 03:00:00.000000000 +0300
+++ checks/symlink_attack.desc 2008-08-19 21:42:08.000000000 +0400
@@ -0,0 +1,74 @@
+Check-Script: symlink_attack
+Author: Dmitry E. Oboukhov <unera@debian.org>
+Abbrev: sa_check
+Type: binary, source
+Unpack-Level: 2
+Info: This script checks source and binaries for possible symlink attacks
+
+Tag: maint-scripts-uses-tmp-err
+Type: error
+Info: Some of maintainer's scripts use direct access to /tmp directory
+ Unsing of direct access to /tmp directory may lead to symlinks attacks.
+ .
+ For example if a script uses in its work a temp file which is created in
+ /tmp directory, then every user can create symlink with the same name
+ in this directory in order to destroy or rewrite some system or user
+ file. Symlink attack may also lead not only to the data desctruction but
+ to denial of service as well.
+ .
+ Use commands mktemp(1) or tempfile(1) in your shell-scripts, or use perl
+ module File::Temp (perldoc File::Temp) in your perl-scripts.
+ .
+ Instead of 'mktemp /tmp/tmp.XXXXXX' use 'mktemp -t' command.
+ .
+ Remember that maintainer's scripts are started with root permissions.
+
+Tag: maint-scripts-uses-tmp-warn
+Type: warning
+Info: Some of maintainer's scripts use direct access to /tmp directory
+ Unsing of direct access to /tmp directory may lead to symlinks attacks.
+ .
+ For example if a script uses in its work a temp file which is created in
+ /tmp directory, then every user can create symlink with the same name
+ in this directory in order to destroy or rewrite some system or user
+ file. Symlink attack may also lead not only to the data desctruction but
+ to denial of service as well.
+ .
+ Use commands mktemp(1) or tempfile(1) in your shell-scripts, or use perl
+ module File::Temp (perldoc File::Temp) in your perl-scripts.
+ .
+ Instead of 'mktemp /tmp/tmp.XXXXXX' use 'mktemp -t' command.
+ .
+ Remember that maintainer's scripts are started with root permissions.
+
+Tag: scripts-uses-tmp-err
+Type: error
+Info: Some of package's scripts use direct access to /tmp directory
+ Unsing of direct access to /tmp directory may lead to symlinks attacks.
+ .
+ For example if a script uses in its work a temp file which is created in
+ /tmp directory, then every user can create symlink with the same name
+ in this directory in order to destroy or rewrite some system or user
+ file. Symlink attack may also lead not only to the data desctruction but
+ to denial of service as well.
+ .
+ Use commands mktemp(1) or tempfile(1) in your shell-scripts, or use perl
+ module File::Temp (perldoc File::Temp) in your perl-scripts.
+ .
+ Instead of 'mktemp /tmp/tmp.XXXXXX' use 'mktemp -t' command.
+
+Tag: scripts-uses-tmp-warn
+Type: warning
+Info: Some of package's scripts use direct access to /tmp directory
+ Unsing of direct access to /tmp directory may lead to symlinks attacks.
+ .
+ For example if a script uses in its work a temp file which is created in
+ /tmp directory, then every user can create symlink with the same name
+ in this directory in order to destroy or rewrite some system or user
+ file. Symlink attack may also lead not only to the data desctruction but
+ to denial of service as well.
+ .
+ Use commands mktemp(1) or tempfile(1) in your shell-scripts, or use perl
+ module File::Temp (perldoc File::Temp) in your perl-scripts.
+ .
+ Instead of 'mktemp /tmp/tmp.XXXXXX' use 'mktemp -t' command.
Attachment:
signature.asc
Description: Digital signature