Re: RFH: Insecure directory creation?
On Sat, Dec 23, 2006, Javier Fernández-Sanguino Peña wrote:
> > First, /var/tmp/mach itself is currently shipped in the package (.deb)
> > itself; it serves as the base directory to copy over RPM files.
> Copy over RPM files from where?
mach can be used to 1) create chroots and 2) build RPM packages in this
chroot; I'm referring to the second use case in which /var/tmp/mach
serves as a directory to copy over SRPMs and .spec files.
> > When you create a chroot to e.g. build packages, you invoke:
> > mach -r centos-4-i386-os setup base
> What does that do? Does it modify /var/tmp/mach in any way?
It creates a chroot, I don't think it uses /var/tmp/mach at any point,
but this is a pre-requisite to create an environment to use
> > Only users in the mach group may run the "mach-helper" SUID root
> > helper which can do the chroot() syscall or run package management
> > tools in the chroot (such as yum).
> What does that one do? Does it modify /var/tmp/mach in any way??
mach-helper serves vraious functions to mach which require root
privileges. For example, it can run the host's RPM to run for a
chroot, run a program in a chroot, run the host's yum or createrepo
commands for a chroot. I mention it because it is SUID root, and might
hence perhaps be misused to gain root permissions.
I don't think it uses /var/tmp/mach itself.
> > The configs of the chroot are stored in /var/lib/mach/states, the
> > packages to create the chroot are downloaded into /var/cache/mach/, and
> > the chroot itself is under /var/lib/mach/roots.
> > Once the chroot is created, you can build packages with a spec file:
> > mach -r centos-4-i386-os build libX11.spec
> > this will install the necessary packages and build-deps in the chroot
> > and copy the source package into the chroot. This is what happens for
> > example in:
> > /var/tmp/mach/tmp/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11-1.0.3-6.centos4.src.rpm
> > (here centos-4-i386-os is the chroot name and libX11-1.0.3-6 the source
> > package)
> I don't understand what really happens here. You say that the packages are
> downloaded into /var/cache/mach/ but then you say that the source package
> resides in /var/tmp/mach/tmp/ ?
The packages to setup the official RPM packages which are useful to
setup the chroot or to install additional software (such as build
tools) are downloaded in /var/cache/mach, but the SRPMs that mach is
*building* are copied into /var/tmp/mach.
> > And mach will also copy the spec file to hand to rpmbuild into:
> > /var/tmp/mach/centos-4-i386-os/libX11-1.0.3-6.centos4/libX11.spec
> so the /var/tmp/mach/ path is used to build packages with a spec file?
> If so, it's trivial for a user who has created /var/tmp/mach (no need to have
> it have any special permissions, since the users that use this work as root)
> to monitor (through the process list) when a user tries to run 'mach -r XXX
> build package.spec' and just create the needed directories
> /var/tmp/mach/XXXX/<package_name>/ (package_name is derived from the .spec
> file I guess) and then have <package>.src.rpm or <packagename>.spec simlink
> to a file under /etc/. Depending on how mach moves the files over there this
> would hose the full system (not just DoS mach, but DoS the system itself) if
> a vital file is overwritten.
That's what I took as an example in the upstream thread as well:
overwriting /etc/passwd is a local DoS.
You write "create the needed directories", but if the program fails
when the directory exists, this means that it isn't exploitable?
Loïc Minier <email@example.com>
"Forget your stupid theme park! I'm gonna make my own! With hookers!
And blackjack! In fact, forget the theme park!" -- Bender