On Sat, Dec 23, 2006 at 11:20:12AM +0100, Loïc Minier wrote: > On Fri, Dec 22, 2006, Javier Fernández-Sanguino Peña wrote: > > I don't know how mach operates precisely, would you care to elaborate how and > > when does it use /var/tmp/mach/? What files are created there? What control > > does the user have on the content or naming of those files? > > First, /var/tmp/mach itself is currently shipped in the package (.deb) > itself; it serves as the base directory to copy over RPM files. Copy over RPM files from where? > When you create a chroot to e.g. build packages, you invoke: > mach -r centos-4-i386-os setup base What does that do? Does it modify /var/tmp/mach in any way? > Only users in the mach group may run the "mach-helper" SUID root > helper which can do the chroot() syscall or run package management > tools in the chroot (such as yum). What does that one do? Does it modify /var/tmp/mach in any way?? > The configs of the chroot are stored in /var/lib/mach/states, the > packages to create the chroot are downloaded into /var/cache/mach/, and > the chroot itself is under /var/lib/mach/roots. > > Once the chroot is created, you can build packages with a spec file: > mach -r centos-4-i386-os build libX11.spec > this will install the necessary packages and build-deps in the chroot > and copy the source package into the chroot. This is what happens for > example in: > /var/tmp/mach/tmp/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11-1.0.3-6.centos4.src.rpm > (here centos-4-i386-os is the chroot name and libX11-1.0.3-6 the source > package) I don't understand what really happens here. You say that the packages are downloaded into /var/cache/mach/ but then you say that the source package resides in /var/tmp/mach/tmp/ ? > And mach will also copy the spec file to hand to rpmbuild into: > /var/tmp/mach/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11.spec so the /var/tmp/mach/ path is used to build packages with a spec file? If so, it's trivial for a user who has created /var/tmp/mach (no need to have it have any special permissions, since the users that use this work as root) to monitor (through the process list) when a user tries to run 'mach -r XXX build package.spec' and just create the needed directories /var/tmp/mach/XXXX/<package_name>/ (package_name is derived from the .spec file I guess) and then have <package>.src.rpm or <packagename>.spec simlink to a file under /etc/. Depending on how mach moves the files over there this would hose the full system (not just DoS mach, but DoS the system itself) if a vital file is overwritten. If any of the contents of those files created under /var/tmp/mach/ can be executable and the contents can be (somehow) manipulated by an attacker, he could symlink to /etc/rcS.d/ or to /etc/cron.daily/ to have something installed which would run as root. This would enable him to elevate privileges, think, for example of a rogue script that uses (or is enticed to use)'addgroup' to include him into a group with higher privileges in the system. Regards Javier
Attachment:
signature.asc
Description: Digital signature