Re: logcheck: Dangerous usage of /var/tmp ?
On Sat, Aug 16, 2003 at 08:33:01PM -0500, John Hasler wrote:
> Matt Zimmerman writes:
> > Unfortunately, stable still has 1.1.1-13.1, which means it still contains
> > this bug. If there is a genuine security exposure, it should be fixed
> > for stable as well.
>
> The /var/tmp/logcheck directory is created by dpkg during installation and
> so can be spoofed by a local attacker who simply creates it first. The
> files in it are created by structures such as '> $TMPDIR/check.$$', relying
> on
>
> rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
> if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
> echo "Log files exist in $TMPDIR directory that cannot be removed. This
> may be an attempt to spoof the log checker." \
> | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
> exit 1
> fi
>
> for security. It seems to me that there is a race condition here that
> might let a clever attacker who has already spoofed the directory at
> install time spoof files in TMPDIR.
I didn't think that dpkg actually allowed users to spoof subdirectories this
way, even in a world-writable directory, but I tried it and it works:
mizar:[/usr/share/doc] sudo mkdir hello
Password:
mizar:[/usr/share/doc] sudo chown mdz hello
mizar:[/usr/share/doc] ls -ld hello
drwxr-xr-x 2 mdz root 4096 2003-08-16 22:14 hello
mizar:[/usr/share/doc] sudo apt-get install hello
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
hello
0 packages upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 47.9kB of archives.
After unpacking 223kB of additional disk space will be used.
Get:1 http://debian unstable/main hello 2.1.1-1 [47.9kB]
Fetched 47.9kB in 0s (717kB/s)
Reading changelogs... Done
Selecting previously deselected package hello.
(Reading database ... 100008 files and directories currently installed.)
Unpacking hello (from .../hello_2.1.1-1_i386.deb) ...
Setting up hello (2.1.1-1) ...
mizar:[/usr/share/doc] ls -ld hello
drwxr-xr-x 2 mdz root 4096 2003-08-16 22:14 hello
mizar:[/usr/share/doc] ls -l hello
total 20
-rw-r--r-- 1 root root 2066 2002-06-08 14:12 NEWS
-rw-r--r-- 1 root root 2586 2002-10-12 15:07 changelog.Debian.gz
-rw-r--r-- 1 root root 5058 2002-06-09 01:41 changelog.gz
-rw-r--r-- 1 root root 2429 2002-10-12 13:40 copyright
Even though the directory was created outside the packaging system, its
existing permissions and ownership are preserved. I don't think this should
happen.
So I guess we need to fix this for woody. Steve, are you willing to prepare
an update to fix this bug? The fix used in 1.1.1-13.2 seems to have been to
use mktemp -d to create a directory at runtime instead, and that seems
reasonable to me.
--
- mdz
Reply to: