From owner-freebsd-security Fri Feb 22 17:35:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.oskarmobil.cz (smtp1.oskarmobil.cz [217.77.161.133]) by hub.freebsd.org (Postfix) with ESMTP id 5BCB437B402 for ; Fri, 22 Feb 2002 17:35:11 -0800 (PST) Received: from wh01ex01.ceskymobil.cz (wh01ex01.oskarmobil.cz [172.20.116.17]) by smtp1.oskarmobil.cz (8.11.2/8.11.1) with ESMTP id g1N1SYg98447; Sat, 23 Feb 2002 02:28:34 +0100 (CET) (envelope-from Milon.Papezik@oskarmobil.cz) Received: by wh01ex01.oskarmobil.cz with Internet Mail Service (5.5.2653.19) id ; Sat, 23 Feb 2002 02:31:44 +0100 Message-ID: From: =?iso-8859-1?Q?Milon_Papez=EDk?= To: "'Kris Kennaway'" Cc: "'Matthew Dillon'" , "'freebsd-security@freebsd.org'" Subject: RE: RE: Third /tmp location ? Date: Sat, 23 Feb 2002 02:31:42 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I think that no utility shall create world writable directories on the fly. It shall report an error and probably point out that environment variable can be set. Also there seems to be too many places where hardcoded use of '/usr/tmp' is attempted: --------- # cd /usr/src # find . -type f -name *.[hc] -exec grep -n 'usr/tmp' {} \; -print 1127: variable_set2(VAR_PKG_TMPDIR, "/usr/tmp", 0); ./release/sysinstall/install.c 270: char *cp = msgGetInput("/usr/tmp/etc", "Under which directory do you wish to save your current /etc?"); 455: saved_etc = "/usr/tmp/etc"; ./release/sysinstall/installUpgrade.c 296: val = msgGetInput("/usr/tmp", "Please enter the name of a temporary directory containing\n" ./release/sysinstall/media.c 141: variable_set2(VAR_PKG_TMPDIR, "/usr/tmp", 0); ./release/sysinstall/package.c 730: char dumptmp[] = "/usr/tmp/hlfsd.dump.XXXXXX"; ./contrib/amd/hlfsd/homedir.c 539: /* ddtfile is now something like "/usr/tmp/xfer.ddt.XXXXXX" */ ./contrib/bind/bin/named-xfer/named-xfer.c 25: "/usr/tmp", ./contrib/bind/port/freebsd/include/prand_conf.h 125: char *dirs[] = {"/tmp", "/usr/tmp", "/var/tmp", ".", "/", ./contrib/bind/port/prand_conf/prand_conf.c 121: /* Try /usr/tmp, then /tmp. */ 167: /* Try /usr/tmp, then /tmp. */ ./contrib/binutils/libiberty/choose-temp.c 7:#define P_tmpdir "/usr/tmp" ./contrib/binutils/libiberty/tmpnam.c 5092: if (access ("/usr/tmp", R_OK | W_OK) == 0) 5093: base = "/usr/tmp/"; ./contrib/gcc/config/mips/mips.c 123: /* Try /usr/tmp even though it usually doesn't exist on FreeBSD. */ 170: /* Try /usr/tmp even though it usually doesn't exist on FreeBSD. */ ./contrib/gcc/choose-temp.c 1709: otherwise, in /usr/tmp or /tmp; ./contrib/gcc/gcc.c 50: sprintf(arena_name, "/usr/tmp/objc_%05u", (unsigned)getpid()); ./contrib/libobjc/thr-irix.c 24:#define _PATH_MROUTED_DUMP "/usr/tmp/mrouted.dump" 25:#define _PATH_MROUTED_CACHE "/usr/tmp/mrouted.cache" ./usr.sbin/mrouted/pathnames.h 60: else if ((stat("/usr/tmp", &sb) == SUCCESS || mkdir("/usr/tmp", 01777) == SUCCESS) && min_free("/usr/tmp") >= sz) 61: strcpy(pen, "/usr/tmp/instmp.XXXXXX"); ./usr.sbin/pkg_install/lib/pen.c 70: * /usr/tmp/zoo 5 tmp/zoo ./usr.bin/locate/code/locate.code.c 290: (void) remove ("/usr/tmp/tstuu/spool1/core"); 291: (void) remove ("/usr/tmp/tstuu/spool2/core"); 333: e = fopen ("/usr/tmp/tstuu/pty1", "w"); 353: e = fopen ("/usr/tmp/tstuu/pty2", "w"); 426: e = fopen ("/usr/tmp/tstuu/pty1", "w"); 444: e = fopen ("/usr/tmp/tstuu/pty2", "w"); 524: (void) execl ("uucico", "uucico", "-I", "/usr/tmp/tstuu/Config1", 570: (void) execl ("uucico", "uucico", "-I", "/usr/tmp/tstuu/Config2", 712: if (access ("/usr/tmp/tstuu/spool1/core", R_OK) == 0) 714: if (access ("/usr/tmp/tstuu/spool2/core", R_OK) == 0) 854:/* We must make /usr/tmp/tstuu world writeable or we won't be able to 862: if (mkdir ((char *) "/usr/tmp/tstuu", 870: if (mkdir ((char *) "/usr/tmp/tstuu/spool1", IPUBLIC_DIRECTORY_MODE) != 0 877: if (mkdir ((char *) "/usr/tmp/tstuu/spool2", IPUBLIC_DIRECTORY_MODE) != 0 886: e = xfopen ("/usr/tmp/tstuu/Config1", "w"); 890: fprintf (e, "spool /usr/tmp/tstuu/spool1\n"); 891: fprintf (e, "lockdir /usr/tmp/tstuu/spool1\n"); 892: fprintf (e, "sysfile /usr/tmp/tstuu/System1\n"); 893: fprintf (e, "sysfile /usr/tmp/tstuu/System1.2\n"); 894: fprintf (e, "portfile /usr/tmp/tstuu/Port1\n"); 895: (void) remove ("/usr/tmp/tstuu/Log1"); 897: fprintf (e, "logfile /usr/tmp/tstuu/Log1\n"); 899: fprintf (e, "%s\n", "logfile /usr/tmp/tstuu/Log1/%s/%s"); 901: fprintf (e, "statfile /usr/tmp/tstuu/Stats1\n"); 902: fprintf (e, "debugfile /usr/tmp/tstuu/Debug1\n"); 903: fprintf (e, "callfile /usr/tmp/tstuu/Call1\n"); 904: fprintf (e, "pubdir /usr/tmp/tstuu\n"); 916: e = xfopen ("/usr/tmp/tstuu/System1", "w"); 923: e = xfopen ("/usr/tmp/tstuu/System1.2", "w"); 934: eprog = xfopen ("/usr/tmp/tstuu/Chat1", "w"); 945: if (chmod ("/usr/tmp/tstuu/Chat1", 948: perror ("chmod (/usr/tmp/tstuu/Chat1)"); 952: fprintf (e, "chat-program /usr/tmp/tstuu/Chat1 \\P \\S\n"); 974: e = xfopen ("/usr/tmp/tstuu/Port1", "w"); 981: e = xfopen ("/usr/tmp/tstuu/Call1", "w"); 992: e = xfopen ("/usr/tmp/tstuu/Config2", "w"); 996: fprintf (e, "spool /usr/tmp/tstuu/spool2\n"); 997: fprintf (e, "lockdir /usr/tmp/tstuu/spool2\n"); 998: fprintf (e, "sysfile /usr/tmp/tstuu/System2\n"); 999: (void) remove ("/usr/tmp/tstuu/Log2"); 1001: fprintf (e, "logfile /usr/tmp/tstuu/Log2\n"); 1003: fprintf (e, "%s\n", "logfile /usr/tmp/tstuu/Log2/%s/%s"); 1005: fprintf (e, "statfile /usr/tmp/tstuu/Stats2\n"); 1006: fprintf (e, "debugfile /usr/tmp/tstuu/Debug2\n"); 1007: fprintf (e, "passwdfile /usr/tmp/tstuu/Pass2\n"); 1008: fprintf (e, "pubdir /usr/tmp/tstuu\n"); 1020: e = xfopen ("/usr/tmp/tstuu/System2", "w"); 1030: eprog = xfopen ("/usr/tmp/tstuu/Chat2", "w"); 1038: if (chmod ("/usr/tmp/tstuu/Chat2", 1041: perror ("chmod (/usr/tmp/tstuu/Chat2"); 1045: fprintf (e, "called-chat-program /bin/sh /usr/tmp/tstuu/Chat2 \\Y\n"); 1050: e = xfopen ("/usr/tmp/tstuu/Pass2", "w"); 1059: zuucp1 = "./uucp -I /usr/tmp/tstuu/Config1 -r"; 1060: zuux1 = "./uux -I /usr/tmp/tstuu/Config1 -r"; 1069: zuucp2 = "./uucp -I /usr/tmp/tstuu/Config2 -r"; 1070: zuux2 = "./uux -I /usr/tmp/tstuu/Config2 -r"; 1076: zfrom = "/usr/tmp/tstuu/from1"; 1080: zto = "/usr/tmp/tstuu/to1"; 1095: zfrom = "/usr/tmp/tstuu/from2"; 1096: zto = "/usr/tmp/tstuu/to2"; 1111: zfrom = "/usr/tmp/tstuu/from3"; 1112: zto = "/usr/tmp/tstuu/to3"; 1124: zfrom = "/usr/tmp/tstuu/from4"; 1128: zto = "/usr/tmp/tstuu/to4"; 1140: zfrom = "/usr/tmp/tstuu/from5"; 1144: zto = "/usr/tmp/tstuu/to5"; 1166: zfrom = "/usr/tmp/tstuu/spool2/to6\\*"; 1167: zfrom1 = "/usr/tmp/tstuu/spool2/to6.1"; 1168: zfrom2 = "/usr/tmp/tstuu/spool2/to6.2"; 1173: (void) remove ("/usr/tmp/tstuu/to6.1"); 1174: (void) remove ("/usr/tmp/tstuu/to6.2"); 1176: sprintf (ab, "%s %s!%s /usr/tmp/tstuu", zuucp1, zsys, zfrom); 1193: zto = "/usr/tmp/tstuu"; 1194: zto1 = "/usr/tmp/tstuu/to7.1"; 1195: zto2 = "/usr/tmp/tstuu/to7.2"; 1198: umake_file ("/usr/tmp/tstuu/spool1/to7.1", 150); 1199: umake_file ("/usr/tmp/tstuu/spool1/to7.2", 155); 1203: sprintf (ab, "%s test1!/usr/tmp/tstuu/spool1/to7.\\* %s", zuucp2, 1211: umake_file ("/usr/tmp/tstuu/from8", 30); 1212: sprintf (ab, "%s - test2!cat < /usr/tmp/tstuu/from8", zuux1); 1229: ucheck_file ("/usr/tmp/tstuu/to1", "test 1", 0); 1233: ucheck_file ("/usr/tmp/tstuu/to2", "test 2", 3); 1236: ucheck_file ("/usr/tmp/tstuu/to3", "test 3", 5); 1243: ucheck_file ("/usr/tmp/tstuu/to4", "test 4", 7); 1248: ucheck_file ("/usr/tmp/tstuu/to6.1", "test 6.1", 100); 1249: ucheck_file ("/usr/tmp/tstuu/to6.2", "test 6.2", 101); 1263: zto1 = "/usr/tmp/tstuu/to7.1"; 1264: zto2 = "/usr/tmp/tstuu/to7.2"; ./gnu/libexec/uucp/tstuu.c 363:#define L_tmpnam 32 /* power of 2 > sizeof("/usr/tmp/xxxxxxxxxxxxxxx") */ ./gnu/usr.bin/rcs/lib/conf.h ------------ Soudn't all this bee axed or better changed to use of standard library functions and eventually additional environment variables ? Milon -- milon.papezik@oskarmobil.cz -----Original Message----- From: Kris Kennaway [mailto:kris@obsecurity.org] Sent: Saturday, February 23, 2002 12:27 AM To: Kris Kennaway Cc: Milon Papezík; 'Matthew Dillon'; 'freebsd-security@freebsd.org' Subject: Re: RE: Third /tmp location ? On Fri, Feb 22, 2002 at 03:25:29PM -0800, Kris Kennaway wrote: > On Sat, Feb 23, 2002 at 12:13:55AM +0100, Milon Papezík wrote: > > Hi, > > > > I simply installed 4.5R from ISO image with separate /, /usr, /var and > > /home. > > > > After some configuration I run automated security check (script) > > and it reported 3rd world writable directory /usr/tmp. > > That was quite a surprise to me, especially with respect > > to the debate over it some time ago on this list. > > Hmm.. there are faint bells ringing in my head somewhere which are > telling me it might be something to do with pkg_add: I think I've seen > this once or twice before, but it didn't bother me enough to track it > down. It's pretty likely I'm just randomly associating but if anyone > is looking into this it might be something to check. Well, 10 seconds in the code shows this: /* Find a good place to play. */ static char * find_play_pen(char *pen, off_t sz) { char *cp; struct stat sb; if (pen[0] && isdir(dirname(pen)) == TRUE && (min_free(dirname(pen)) >= sz)) return pen; else if ((cp = getenv("PKG_TMPDIR")) != NULL && stat(cp, &sb) != FAIL && (min_free(cp) >= sz)) sprintf(pen, "%s/instmp.XXXXXX", cp); else if ((cp = getenv("TMPDIR")) != NULL && stat(cp, &sb) != FAIL && (min_free(cp) >= sz)) sprintf(pen, "%s/instmp.XXXXXX", cp); else if (stat("/var/tmp", &sb) != FAIL && min_free("/var/tmp") >= sz) strcpy(pen, "/var/tmp/instmp.XXXXXX"); else if (stat("/tmp", &sb) != FAIL && min_free("/tmp") >= sz) strcpy(pen, "/tmp/instmp.XXXXXX"); else if ((stat("/usr/tmp", &sb) == SUCCESS || mkdir("/usr/tmp", 01777) == SUCCESS) && min_free ("/usr/tmp") >= sz) strcpy(pen, "/usr/tmp/instmp.XXXXXX"); else { cleanup(0); errx(2, __FUNCTION__ ": can't find enough temporary space to extract the files, please set your\n" "PKG_TMPDIR environment variable to a location with at least %ld bytes\n" "free", (long)sz); return NULL; } return pen; } If /var/tmp and /tmp aren't big enough to extract the package it creates /usr/tmp and uses it. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message