Bug#447514: ITP: apt-cacher-ng -- Caching proxy for distribution of software packages
On Sun Oct 21, 2007 at 22:53:11 +0200, Eduard Bloch wrote:
> > Please ensure you fix the /var/tmp/testfile issue prior to uploading.
>
> I am not sure what you mean, but maybe it failed for you with an obscure
> message about that file.
This is related to the mail I sent you with MsgID
20071005112850.GA30577@steve.org.uk on the 5th of October. (Copied below).
Basically the code as written allows arbitary local users to
truncate any file upon the system which the daemon has write access to.
> The package still needs some polishing on the
> startup behaviour and system environment checks, this will be fixed and
> double-tested in clean environment before the final release.
:)
Steve
--
Hi,
I've been looking for a better caching proxy than
approx, etc, recently. So seeing your project was
very timely!
However there is a security issue in the code.
As a normal user run:
ln -s /etc/passwd /var/tmp/testfile
Now compile and run this code, (or actually don't!) as root:
using namespace std;
void mkbasedir(string & path) {
unsigned int pos;
for(pos=0;pos<path.size();pos=path.find("/", pos+1)) {
if(pos>0)
mkdir(path.substr(0,pos).c_str(), 00755);
}
}
int main( int argc, char *argv[] )
{
string tmp="/var/tmp/testfile";
mkbasedir(tmp); // try or force its directory creation
int t=open(tmp.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 00644);
if(t<0) {
cerr << "Cache directory not writeable. Check the permissions of file" <<endl;
exit(1);
}
close(t);
unlink(tmp.c_str());
return 0;
}
What happens? /etc/passwd becomes 0 bytes.
That's code from your apt-cacher.cc file, and providing apt-cacher
is started as root you've allowed a local user to truncate arbitary
files ..
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
Reply to: