Hello, intrigeri <intrigeri@debian.org> > Hi, > > José Manuel Santamaría Lema wrote (02 Jan 2013 20:22:43 GMT) : > > intrigeri <intrigeri@debian.org> > > > >> From a remote point-of-view, this is worrying: do you mean something > >> during the installation will access or create a file with a fixed name > >> in /tmp? > > > > Yes. > > > >> May it have security implications? > > > > Unfortunately, yes. See http://bugs.debian.org/cgi- > > bin/bugreport.cgi?bug=576418 > > I'm tagging that one "security". > > It's annoying, but yet another kind of security concern than the one > I was afraid of and refering to... when using such predictable names, > in many cases an attacker could overwrite any existing file on the > system with the permissions of the process that wants to create the > file. I doubt the /tmp/virt_1111 thing is immune to this class of > attacks. Is it? Any very good reason to *both* 1. use a predictable > name; and 2. use /tmp rather than a dedicated directory only writable > by users that should access this file? > > Cheers, This what that /tmp/virt_XXXX files are for: http://docs.openlinksw.com/virtuoso/accintudsockets.html I was wrong when I said it creates that file during the installation, I said that because during the installation the server is started and I tought the unix socket connections were enabled by default. However, they aren't, just do a virtuoso fresh installation and check how "DisableUnixSocket" is set to 1. What actually happens is that if there is already a /tmp/virt_1111 socket (created by a virtuoso instance launched by nepomuk/soprano) when starting the server it will hang (instead of failing and return), as I explained in the very first message of this bug report. Just for your information, I tried to do a couple malicious things in the worst case scenario (i.e. with the unix socket enabled): 1. I stoped the server, symlinked /tmp/virt_1111 to /etc/passwd and started it again. Virtuoso server removed the symlink and replaced it with a proper unix socket file. 2. As root, I disabled the sticky bit of /tmp/, then with a non-root user account I removed the /tmp/virt_1111 socket and replaced it with a symlink to /etc/passwd, then I did "isql-vt localhost:1111 dba <passwd>". It just falled back to a tcp connection, and the passwd file wasn't modified. I doubt this can be security problem, but if you figure out a way to exploit it, please just file a bug against virtuoso explaining how you did it instead of discussing it here (note that while your concerns may be reasonable, they aren't actually related to the fixes intended to be included in wheezy). That being said, looks like one of the fixes wasn't good, so I guess I will close this bug soon, upload a -3 revision and open a new one to request its unblock. Cheers.
Attachment:
signature.asc
Description: This is a digitally signed message part.