The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] *sigh* another RH5 /tmp problem


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Sun, 15 Mar 1998 14:37:57 +0500 (ESK)
Date: Thu, 12 Mar 1998 16:00:43 -0500
From: Brian Beaudoin <[email protected]>
To: "Mark A. Spencer" <[email protected]>
Subject: [linux-security] Re: *sigh* another RH5 /tmp problem
Cc: [email protected]

Mark,

I've seen several people talk about the insecurity of writing tempfiles
in /tmp, but there is a solution to it all.

Before a file writes to /tmp or any directory under /tmp, the type,
status, and ownership of those files should be checked.  Actually, it
may be sufficient to simply check to see if it's writing to a file or a
symlink.

Example:
	if [ -f /etc/dhcpc/resolv.conf ]; then
	  if [ ! -l /tmp/dhcplog ]
	  then
	    echo "setting up resolv.conf" >> /tmp/dhcplog
	  fi
	  cp /etc/dhcp/resolv.conf /etc
	fi

or (before writing to /tmp/dhcplog):

	if [ -l /tmp/dhcplog ]; then
	  rm /tmp/dhcplog
	fi

Programmers and script writers should watch out for things like this (as
if they don't already have enough to watch out for), and as
administrators, we should all watch what goes on our machines like a
hawk, even if it is a complete OS upgrade from a reputable vendor.

Brian Beaudoin

[mod: This is approved so that you all and especially Brian can see
that this is NOT a solution!

An attack to these "solutions" does (in shell like the above):

          ln -s /etc/passwd b
          while (true)
            do
		mv b dhcplog
		mv dhcplog b
          done

There is a 50/50 chance of the file not being there when "-l
/tmp/dhcplog" is checked, and again a 50/50 chance of it being there
again when ">> /tmp/dhcplog" is executed....
(timeslices etc. make things a little more complicated, but you get the
idea.)
                    -- REW]


Mark A. Spencer wrote:
> 
> RedHat 5, when using dhcp to configure the interface calls a script
> called "ifdhcpc-done" to be executed after a dhcp interface is
> configured. At the end of the process it updates resolv.conf:
> 
> if [ -f /etc/dhcpc/resolv.conf ]; then
>        echo "setting up resolv.conf" >> /tmp/dhcplog
>        cp /etc/dhcpc/resolv.conf /etc
> fi
> 
> There is no protection against the dhcplog file being a symbolic link,
> clobbering, blah de blah de blah...  (it seems pretty useless to maintain
> it too, since this is the only message that ever seems to appear in the
> log).
> 
> -rw-rw-rw-   1 root     root          690 Mar  9 17:23 dhcplog
> 
> Oh, and the file also seems to default to being permissions of 666 which
> allows for easy avoidance of disk quotas...
> 
> Anyway, I would just comment out the echo line and be done
> 
> The only way to exploit this is if the dhcplog file doesn't already exist
> which can occur if the system has been up for 10 days or more and is then
> rebooted.
> 
>                                 -Mark
> 
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe: mail -s unsubscribe [email protected] < /dev/null

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe [email protected] < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру