[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFH: Insecure directory creation?

On Sat, Dec 23, 2006 at 11:20:12AM +0100, Loïc Minier wrote:
> On Fri, Dec 22, 2006, Javier Fernández-Sanguino Peña wrote:
> > I don't know how mach operates precisely, would you care to elaborate how and
> > when does it use /var/tmp/mach/? What files are created there? What control
> > does the user have on the content or naming of those files?
>  First, /var/tmp/mach itself is currently shipped in the package (.deb)
>  itself; it serves as the base directory to copy over RPM files.

Copy over RPM files from where?

>  When you create a chroot to e.g. build packages, you invoke:
>     mach -r centos-4-i386-os setup base

What does that do? Does it modify /var/tmp/mach in any way?

>  Only users in the mach group may run the "mach-helper" SUID root
>  helper which can do the chroot() syscall or run package management
>  tools in the chroot (such as yum).

What does that one do? Does it modify /var/tmp/mach in any way??

>  The configs of the chroot are stored in /var/lib/mach/states, the
>  packages to create the chroot are downloaded into /var/cache/mach/, and
>  the chroot itself is under /var/lib/mach/roots.
>  Once the chroot is created, you can build packages with a spec file:
>     mach -r centos-4-i386-os build libX11.spec
>  this will install the necessary packages and build-deps in the chroot
>  and copy the source package into the chroot.  This is what happens for
>  example in:
>  /var/tmp/mach/tmp/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11-1.0.3-6.centos4.src.rpm
>  (here centos-4-i386-os is the chroot name and libX11-1.0.3-6 the source
>  package)

I don't understand what really happens here. You say that the packages are
downloaded into /var/cache/mach/ but then you say that the source package
resides in /var/tmp/mach/tmp/ ?

>  And mach will also copy the spec file to hand to rpmbuild into:
>    /var/tmp/mach/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11.spec

so the /var/tmp/mach/ path is used to build packages with a spec file?

If so, it's trivial for a user who has created /var/tmp/mach (no need to have
it have any special permissions, since the users that use this work as root)
to monitor (through the process list) when a user tries to run 'mach -r XXX
build package.spec' and just create the needed directories
/var/tmp/mach/XXXX/<package_name>/  (package_name is derived from the .spec
file I guess) and then have <package>.src.rpm  or <packagename>.spec simlink
to a file under /etc/. Depending on how mach moves the files over there this
would hose the full system (not just DoS mach, but DoS the system itself) if
a vital file is overwritten.

If any of the contents of those files created under  /var/tmp/mach/ can be
executable and the contents can be (somehow) manipulated by an attacker, he
could symlink to /etc/rcS.d/ or to /etc/cron.daily/ to have something
installed which would run as root. This would enable him to elevate
privileges, think, for example of a rogue script that  uses (or is enticed to
use)'addgroup' to include him into a group with higher privileges in the



Attachment: signature.asc
Description: Digital signature

Reply to: