Date: Sat, 23 Feb 2002 02:31:42 +0100 From: =?iso-8859-1?Q?Milon_Papez=EDk?= <Milon.Papezik@oskarmobil.cz> To: "'Kris Kennaway'" <kris@obsecurity.org> Cc: "'Matthew Dillon'" <dillon@apollo.backplane.com>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: RE: RE: Third /tmp location ? Message-ID: <B57AF59C8ABFD411BBE000508BF300F303B70636@wh01ex01.oskarmobil.cz>
next in thread | raw e-mail | index | archive | help
Hi,
I think that no utility shall create world writable directories on the fly.
It shall report an error and probably point out that environment variable
can be set.
Also there seems to be too many places where hardcoded use of '/usr/tmp' is
attempted:
---------
# cd /usr/src
# find . -type f -name *.[hc] -exec grep -n 'usr/tmp' {} \; -print
1127: variable_set2(VAR_PKG_TMPDIR, "/usr/tmp", 0);
./release/sysinstall/install.c
270: char *cp = msgGetInput("/usr/tmp/etc", "Under which directory do
you wish to save your current /etc?");
455: saved_etc = "/usr/tmp/etc";
./release/sysinstall/installUpgrade.c
296: val = msgGetInput("/usr/tmp", "Please enter the name of a temporary
directory containing\n"
./release/sysinstall/media.c
141: variable_set2(VAR_PKG_TMPDIR, "/usr/tmp", 0);
./release/sysinstall/package.c
730: char dumptmp[] = "/usr/tmp/hlfsd.dump.XXXXXX";
./contrib/amd/hlfsd/homedir.c
539: /* ddtfile is now something like "/usr/tmp/xfer.ddt.XXXXXX"
*/
./contrib/bind/bin/named-xfer/named-xfer.c
25: "/usr/tmp",
./contrib/bind/port/freebsd/include/prand_conf.h
125: char *dirs[] = {"/tmp", "/usr/tmp", "/var/tmp", ".", "/",
./contrib/bind/port/prand_conf/prand_conf.c
121: /* Try /usr/tmp, then /tmp. */
167: /* Try /usr/tmp, then /tmp. */
./contrib/binutils/libiberty/choose-temp.c
7:#define P_tmpdir "/usr/tmp"
./contrib/binutils/libiberty/tmpnam.c
5092: if (access ("/usr/tmp", R_OK | W_OK) == 0)
5093: base = "/usr/tmp/";
./contrib/gcc/config/mips/mips.c
123: /* Try /usr/tmp even though it usually doesn't exist on FreeBSD. */
170: /* Try /usr/tmp even though it usually doesn't exist on FreeBSD. */
./contrib/gcc/choose-temp.c
1709: otherwise, in /usr/tmp or /tmp;
./contrib/gcc/gcc.c
50: sprintf(arena_name, "/usr/tmp/objc_%05u", (unsigned)getpid());
./contrib/libobjc/thr-irix.c
24:#define _PATH_MROUTED_DUMP "/usr/tmp/mrouted.dump"
25:#define _PATH_MROUTED_CACHE "/usr/tmp/mrouted.cache"
./usr.sbin/mrouted/pathnames.h
60: else if ((stat("/usr/tmp", &sb) == SUCCESS || mkdir("/usr/tmp",
01777) == SUCCESS) && min_free("/usr/tmp") >= sz)
61: strcpy(pen, "/usr/tmp/instmp.XXXXXX");
./usr.sbin/pkg_install/lib/pen.c
70: * /usr/tmp/zoo 5 tmp/zoo
./usr.bin/locate/code/locate.code.c
290: (void) remove ("/usr/tmp/tstuu/spool1/core");
291: (void) remove ("/usr/tmp/tstuu/spool2/core");
333: e = fopen ("/usr/tmp/tstuu/pty1", "w");
353: e = fopen ("/usr/tmp/tstuu/pty2", "w");
426: e = fopen ("/usr/tmp/tstuu/pty1", "w");
444: e = fopen ("/usr/tmp/tstuu/pty2", "w");
524: (void) execl ("uucico", "uucico", "-I", "/usr/tmp/tstuu/Config1",
570: (void) execl ("uucico", "uucico", "-I", "/usr/tmp/tstuu/Config2",
712: if (access ("/usr/tmp/tstuu/spool1/core", R_OK) == 0)
714: if (access ("/usr/tmp/tstuu/spool2/core", R_OK) == 0)
854:/* We must make /usr/tmp/tstuu world writeable or we won't be able to
862: if (mkdir ((char *) "/usr/tmp/tstuu",
870: if (mkdir ((char *) "/usr/tmp/tstuu/spool1", IPUBLIC_DIRECTORY_MODE)
!= 0
877: if (mkdir ((char *) "/usr/tmp/tstuu/spool2", IPUBLIC_DIRECTORY_MODE)
!= 0
886: e = xfopen ("/usr/tmp/tstuu/Config1", "w");
890: fprintf (e, "spool /usr/tmp/tstuu/spool1\n");
891: fprintf (e, "lockdir /usr/tmp/tstuu/spool1\n");
892: fprintf (e, "sysfile /usr/tmp/tstuu/System1\n");
893: fprintf (e, "sysfile /usr/tmp/tstuu/System1.2\n");
894: fprintf (e, "portfile /usr/tmp/tstuu/Port1\n");
895: (void) remove ("/usr/tmp/tstuu/Log1");
897: fprintf (e, "logfile /usr/tmp/tstuu/Log1\n");
899: fprintf (e, "%s\n", "logfile /usr/tmp/tstuu/Log1/%s/%s");
901: fprintf (e, "statfile /usr/tmp/tstuu/Stats1\n");
902: fprintf (e, "debugfile /usr/tmp/tstuu/Debug1\n");
903: fprintf (e, "callfile /usr/tmp/tstuu/Call1\n");
904: fprintf (e, "pubdir /usr/tmp/tstuu\n");
916: e = xfopen ("/usr/tmp/tstuu/System1", "w");
923: e = xfopen ("/usr/tmp/tstuu/System1.2", "w");
934: eprog = xfopen ("/usr/tmp/tstuu/Chat1", "w");
945: if (chmod ("/usr/tmp/tstuu/Chat1",
948: perror ("chmod (/usr/tmp/tstuu/Chat1)");
952: fprintf (e, "chat-program /usr/tmp/tstuu/Chat1 \\P \\S\n");
974: e = xfopen ("/usr/tmp/tstuu/Port1", "w");
981: e = xfopen ("/usr/tmp/tstuu/Call1", "w");
992: e = xfopen ("/usr/tmp/tstuu/Config2", "w");
996: fprintf (e, "spool /usr/tmp/tstuu/spool2\n");
997: fprintf (e, "lockdir /usr/tmp/tstuu/spool2\n");
998: fprintf (e, "sysfile /usr/tmp/tstuu/System2\n");
999: (void) remove ("/usr/tmp/tstuu/Log2");
1001: fprintf (e, "logfile /usr/tmp/tstuu/Log2\n");
1003: fprintf (e, "%s\n", "logfile /usr/tmp/tstuu/Log2/%s/%s");
1005: fprintf (e, "statfile /usr/tmp/tstuu/Stats2\n");
1006: fprintf (e, "debugfile /usr/tmp/tstuu/Debug2\n");
1007: fprintf (e, "passwdfile /usr/tmp/tstuu/Pass2\n");
1008: fprintf (e, "pubdir /usr/tmp/tstuu\n");
1020: e = xfopen ("/usr/tmp/tstuu/System2", "w");
1030: eprog = xfopen ("/usr/tmp/tstuu/Chat2", "w");
1038: if (chmod ("/usr/tmp/tstuu/Chat2",
1041: perror ("chmod (/usr/tmp/tstuu/Chat2");
1045: fprintf (e, "called-chat-program /bin/sh /usr/tmp/tstuu/Chat2
\\Y\n");
1050: e = xfopen ("/usr/tmp/tstuu/Pass2", "w");
1059: zuucp1 = "./uucp -I /usr/tmp/tstuu/Config1 -r";
1060: zuux1 = "./uux -I /usr/tmp/tstuu/Config1 -r";
1069: zuucp2 = "./uucp -I /usr/tmp/tstuu/Config2 -r";
1070: zuux2 = "./uux -I /usr/tmp/tstuu/Config2 -r";
1076: zfrom = "/usr/tmp/tstuu/from1";
1080: zto = "/usr/tmp/tstuu/to1";
1095: zfrom = "/usr/tmp/tstuu/from2";
1096: zto = "/usr/tmp/tstuu/to2";
1111: zfrom = "/usr/tmp/tstuu/from3";
1112: zto = "/usr/tmp/tstuu/to3";
1124: zfrom = "/usr/tmp/tstuu/from4";
1128: zto = "/usr/tmp/tstuu/to4";
1140: zfrom = "/usr/tmp/tstuu/from5";
1144: zto = "/usr/tmp/tstuu/to5";
1166: zfrom = "/usr/tmp/tstuu/spool2/to6\\*";
1167: zfrom1 = "/usr/tmp/tstuu/spool2/to6.1";
1168: zfrom2 = "/usr/tmp/tstuu/spool2/to6.2";
1173: (void) remove ("/usr/tmp/tstuu/to6.1");
1174: (void) remove ("/usr/tmp/tstuu/to6.2");
1176: sprintf (ab, "%s %s!%s /usr/tmp/tstuu", zuucp1, zsys, zfrom);
1193: zto = "/usr/tmp/tstuu";
1194: zto1 = "/usr/tmp/tstuu/to7.1";
1195: zto2 = "/usr/tmp/tstuu/to7.2";
1198: umake_file ("/usr/tmp/tstuu/spool1/to7.1", 150);
1199: umake_file ("/usr/tmp/tstuu/spool1/to7.2", 155);
1203: sprintf (ab, "%s test1!/usr/tmp/tstuu/spool1/to7.\\* %s", zuucp2,
1211: umake_file ("/usr/tmp/tstuu/from8", 30);
1212: sprintf (ab, "%s - test2!cat < /usr/tmp/tstuu/from8", zuux1);
1229: ucheck_file ("/usr/tmp/tstuu/to1", "test 1", 0);
1233: ucheck_file ("/usr/tmp/tstuu/to2", "test 2", 3);
1236: ucheck_file ("/usr/tmp/tstuu/to3", "test 3", 5);
1243: ucheck_file ("/usr/tmp/tstuu/to4", "test 4", 7);
1248: ucheck_file ("/usr/tmp/tstuu/to6.1", "test 6.1", 100);
1249: ucheck_file ("/usr/tmp/tstuu/to6.2", "test 6.2", 101);
1263: zto1 = "/usr/tmp/tstuu/to7.1";
1264: zto2 = "/usr/tmp/tstuu/to7.2";
./gnu/libexec/uucp/tstuu.c
363:#define L_tmpnam 32 /* power of 2 > sizeof("/usr/tmp/xxxxxxxxxxxxxxx")
*/
./gnu/usr.bin/rcs/lib/conf.h
------------
Soudn't all this bee axed or better changed to use of standard library
functions
and eventually additional environment variables ?
Milon
--
milon.papezik@oskarmobil.cz
-----Original Message-----
From: Kris Kennaway [mailto:kris@obsecurity.org]
Sent: Saturday, February 23, 2002 12:27 AM
To: Kris Kennaway
Cc: Milon Papezík; 'Matthew Dillon'; 'freebsd-security@freebsd.org'
Subject: Re: RE: Third /tmp location ?
On Fri, Feb 22, 2002 at 03:25:29PM -0800, Kris Kennaway wrote:
> On Sat, Feb 23, 2002 at 12:13:55AM +0100, Milon Papezík wrote:
> > Hi,
> >
> > I simply installed 4.5R from ISO image with separate /, /usr, /var and
> > /home.
> >
> > After some configuration I run automated security check (script)
> > and it reported 3rd world writable directory /usr/tmp.
> > That was quite a surprise to me, especially with respect
> > to the debate over it some time ago on this list.
>
> Hmm.. there are faint bells ringing in my head somewhere which are
> telling me it might be something to do with pkg_add: I think I've seen
> this once or twice before, but it didn't bother me enough to track it
> down. It's pretty likely I'm just randomly associating but if anyone
> is looking into this it might be something to check.
Well, 10 seconds in the code shows this:
/* Find a good place to play. */
static char *
find_play_pen(char *pen, off_t sz)
{
char *cp;
struct stat sb;
if (pen[0] && isdir(dirname(pen)) == TRUE && (min_free(dirname(pen)) >=
sz))
return pen;
else if ((cp = getenv("PKG_TMPDIR")) != NULL && stat(cp, &sb) != FAIL &&
(min_free(cp) >= sz))
sprintf(pen, "%s/instmp.XXXXXX", cp);
else if ((cp = getenv("TMPDIR")) != NULL && stat(cp, &sb) != FAIL &&
(min_free(cp) >= sz))
sprintf(pen, "%s/instmp.XXXXXX", cp);
else if (stat("/var/tmp", &sb) != FAIL && min_free("/var/tmp") >= sz)
strcpy(pen, "/var/tmp/instmp.XXXXXX");
else if (stat("/tmp", &sb) != FAIL && min_free("/tmp") >= sz)
strcpy(pen, "/tmp/instmp.XXXXXX");
else if ((stat("/usr/tmp", &sb) == SUCCESS || mkdir("/usr/tmp", 01777)
== SUCCESS) && min_free
("/usr/tmp") >= sz)
strcpy(pen, "/usr/tmp/instmp.XXXXXX");
else {
cleanup(0);
errx(2, __FUNCTION__
": can't find enough temporary space to extract the files, please set
your\n"
"PKG_TMPDIR environment variable to a location with at least %ld bytes\n"
"free", (long)sz);
return NULL;
}
return pen;
}
If /var/tmp and /tmp aren't big enough to extract the package it
creates /usr/tmp and uses it.
Kris
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B57AF59C8ABFD411BBE000508BF300F303B70636>