Date: Fri, 16 Apr 2004 15:11:36 +0200 From: dada@sbox.tugraz.at To: FreeBSD problem reports <freebsd-gnats-submit@FreeBSD.org> Subject: ports/65620: ports/security/cfs: cfssh(1) creates insecure directory Message-ID: <20040416151136.w8cokww0gk0ckc4s@webmail.tugraz.at> Resent-Message-ID: <200404161320.i3GDKLpG003711@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 65620
>Category: ports
>Synopsis: ports/security/cfs: cfssh(1) creates insecure directory
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 16 06:20:21 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Martin Kammerhofer <dada@sbox.tugraz.at>
>Release: FreeBSD 4.10-BETA i386
>Organization:
Graz University
>Environment:
System: FreeBSD Martin.liebt.Susi 4.10-BETA FreeBSD 4.10-BETA #1: Wed Apr 14
19:45:27 CEST 2004 Martin@Martin.liebt.Susi:/usr/obj/usr/src/sys/LEND4 i386
>Description:
The security/cfs port installs a shell script "cfssh". This script is
written for the Korn-Shell. The first line of the script is patched to
use the FreeBSD /bin/sh instead of /bin/ksh (by means of
ports/security/cfs/files/patch-ac). The script uses a ksh specific
feature to generate a random directory name. This feature - the
special shell variable $RANDOM - is not present in /bin/sh! As a
consequence the script always generates the very predictable directory
"/crypt/.." instead of a random directory name.
Quote from the cfssh(1) manpage:
Since the generated names are somewhat obscure and are hidden from
view with CFS's "." mechanism, casual attackers cannot easily exploit
the attached cleartext even if they can spoof the UID of the user.
The quoted intention of the script is clearly broken by the hardcoded
name. Everybody attaches to the same directory under /crypt.
>How-To-Repeat:
Invoke cfssh(1) twice.
>Fix:
Use a mechanism available to /bin/sh as a means of generating a random
pathname, e.g. FreeBSD's mktemp(1) command.
--- /usr/ports/security/cfs/work/cfs-1.4.1/cfssh Fri Apr 16 10:40:13 2004
+++ cfssh Fri Apr 16 11:15:59 2004
@@ -5,7 +5,7 @@
exit
fi
export PS1="crypto:`basename $1`$ "
-D=.$RANDOM.$RANDOM
+D=$(basename $(mktemp -u /tmp/.XXXXXXXXXXXXX))
cattach $1 $D || exit 1
echo "Directory is /crypt/$D"
cd /crypt/$D
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040416151136.w8cokww0gk0ckc4s>