[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFH: Insecure directory creation?

On Sat, Dec 23, 2006, Javier Fernández-Sanguino Peña wrote:
> >  First, /var/tmp/mach itself is currently shipped in the package (.deb)
> >  itself; it serves as the base directory to copy over RPM files.
> Copy over RPM files from where?

 mach can be used to 1) create chroots and 2) build RPM packages in this
 chroot; I'm referring to the second use case in which /var/tmp/mach
 serves as a directory to copy over SRPMs and .spec files.

> >  When you create a chroot to e.g. build packages, you invoke:
> >     mach -r centos-4-i386-os setup base
> What does that do? Does it modify /var/tmp/mach in any way?

 It creates a chroot, I don't think it uses /var/tmp/mach at any point,
 but this is a pre-requisite to create an environment to use

> >  Only users in the mach group may run the "mach-helper" SUID root
> >  helper which can do the chroot() syscall or run package management
> >  tools in the chroot (such as yum).
> What does that one do? Does it modify /var/tmp/mach in any way??

 mach-helper serves vraious functions to mach which require root
 privileges.  For example, it can run the host's RPM to run for a
 chroot, run a program in a chroot, run the host's yum or createrepo
 commands for a chroot.  I mention it because it is SUID root, and might
 hence perhaps be misused to gain root permissions.

 I don't think it uses /var/tmp/mach itself.

> >  The configs of the chroot are stored in /var/lib/mach/states, the
> >  packages to create the chroot are downloaded into /var/cache/mach/, and
> >  the chroot itself is under /var/lib/mach/roots.
> > 
> >  Once the chroot is created, you can build packages with a spec file:
> >     mach -r centos-4-i386-os build libX11.spec
> >  this will install the necessary packages and build-deps in the chroot
> >  and copy the source package into the chroot.  This is what happens for
> >  example in:
> >  /var/tmp/mach/tmp/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11-1.0.3-6.centos4.src.rpm
> >  (here centos-4-i386-os is the chroot name and libX11-1.0.3-6 the source
> >  package)
> I don't understand what really happens here. You say that the packages are
> downloaded into /var/cache/mach/ but then you say that the source package
> resides in /var/tmp/mach/tmp/ ?

 The packages to setup the official RPM packages which are useful to
 setup the chroot or to install additional software (such as build
 tools) are downloaded in /var/cache/mach, but the SRPMs that mach is
 *building* are copied into /var/tmp/mach.

> >  And mach will also copy the spec file to hand to rpmbuild into:
> >    /var/tmp/mach/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11.spec
> so the /var/tmp/mach/ path is used to build packages with a spec file?


> If so, it's trivial for a user who has created /var/tmp/mach (no need to have
> it have any special permissions, since the users that use this work as root)
> to monitor (through the process list) when a user tries to run 'mach -r XXX
> build package.spec' and just create the needed directories
> /var/tmp/mach/XXXX/<package_name>/  (package_name is derived from the .spec
> file I guess) and then have <package>.src.rpm  or <packagename>.spec simlink
> to a file under /etc/. Depending on how mach moves the files over there this
> would hose the full system (not just DoS mach, but DoS the system itself) if
> a vital file is overwritten.

 That's what I took as an example in the upstream thread as well:
 overwriting /etc/passwd is a local DoS.

 You write "create the needed directories", but if the program fails
 when the directory exists, this means that it isn't exploitable?

Loïc Minier <lool@dooz.org>
 "Forget your stupid theme park! I'm gonna make my own! With hookers!
  And blackjack! In fact, forget the theme park!"          -- Bender

Reply to: