[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck: Dangerous usage of /var/tmp ?

On Sat, Aug 16, 2003 at 08:33:01PM -0500, John Hasler wrote:

> Matt Zimmerman writes:
> > Unfortunately, stable still has 1.1.1-13.1, which means it still contains
> > this bug.  If there is a genuine security exposure, it should be fixed
> > for stable as well.
> 
> The /var/tmp/logcheck directory is created by dpkg during installation and
> so can be spoofed by a local attacker who simply creates it first.  The
> files in it are created by structures such as '> $TMPDIR/check.$$', relying
> on
> 
>   rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
>   if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
>         echo "Log files exist in $TMPDIR directory that cannot be removed. This
>   may be an attempt to spoof the log checker." \
>         | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
>         exit 1
>   fi
> 
> for security.  It seems to me that there is a race condition here that
> might let a clever attacker who has already spoofed the directory at
> install time spoof files in TMPDIR.

I didn't think that dpkg actually allowed users to spoof subdirectories this
way, even in a world-writable directory, but I tried it and it works:

mizar:[/usr/share/doc] sudo mkdir hello
Password:
mizar:[/usr/share/doc] sudo chown mdz hello
mizar:[/usr/share/doc] ls -ld hello
drwxr-xr-x    2 mdz      root         4096 2003-08-16 22:14 hello
mizar:[/usr/share/doc] sudo apt-get install hello
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
  hello
0 packages upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 47.9kB of archives.
After unpacking 223kB of additional disk space will be used.
Get:1 http://debian unstable/main hello 2.1.1-1 [47.9kB]
Fetched 47.9kB in 0s (717kB/s)
Reading changelogs... Done
Selecting previously deselected package hello.
(Reading database ... 100008 files and directories currently installed.)
Unpacking hello (from .../hello_2.1.1-1_i386.deb) ...
Setting up hello (2.1.1-1) ...

mizar:[/usr/share/doc] ls -ld hello
drwxr-xr-x    2 mdz      root         4096 2003-08-16 22:14 hello
mizar:[/usr/share/doc] ls -l hello
total 20
-rw-r--r--    1 root     root         2066 2002-06-08 14:12 NEWS
-rw-r--r--    1 root     root         2586 2002-10-12 15:07 changelog.Debian.gz
-rw-r--r--    1 root     root         5058 2002-06-09 01:41 changelog.gz
-rw-r--r--    1 root     root         2429 2002-10-12 13:40 copyright

Even though the directory was created outside the packaging system, its
existing permissions and ownership are preserved.  I don't think this should
happen.

So I guess we need to fix this for woody.  Steve, are you willing to prepare
an update to fix this bug?  The fix used in 1.1.1-13.2 seems to have been to
use mktemp -d to create a directory at runtime instead, and that seems
reasonable to me.

-- 
 - mdz
Reply to: