Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jul 1998 22:54:52 +0100 (IST)
From:      rotel@indigo.ie
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   bin/7358: [PATCH] Security patches for locatedb etc
Message-ID:  <199807212154.WAA02317@indigo.ie>

next in thread | raw e-mail | index | archive | help

>Number:         7358
>Category:       bin
>Synopsis:       [PATCH] Security patches for locatedb etc
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 21 15:00:02 PDT 1998
>Last-Modified:
>Originator:     Niall Smart
>Organization:
>Release:        FreeBSD 2.2.6-STABLE i386
>Environment:


FreeBSD ginseng.indigo.ie 2.2.6-STABLE FreeBSD 2.2.6-STABLE #0: Fri Jul  3 19:59:15 IST 1998     root@ginseng.indigo.ie:/usr/src/stable/src/sys/compile/GINSENG  i386

>Description:

David Kelly (dkelly@hiwaay.net) brought up some security problems in
the shell scripts used to make the locate databases some time ago; I
sent patches to freebsd-security but they were never applied, here
they are again.

>How-To-Repeat:


>Fix:
	

>From owner-freebsd-security@FreeBSD.ORG Sat Apr 25 13:19:02 1998
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804251210.NAA01265@indigo.ie>
Date: Sat, 25 Apr 1998 13:10:25 +0000
In-Reply-To: David Kelly <dkelly@hiwaay.net>
       "Re: Symlinks again..." (Apr 24, 10:13pm)
Reply-To: rotel@indigo.ie
To: David Kelly <dkelly@hiwaay.net>, freebsd-security@FreeBSD.ORG
Subject: Re: Symlinks again...
Cc: wosch@FreeBSD.ORG, ncb05@uow.edu.au

On Apr 24, 10:13pm, David Kelly wrote:
} Subject: Re: Symlinks again...
> >
> > [ discussion of problem with temporary files in locate.* ]
> > 
> > The code is still wrong though, an account is compromisable.  I
> > would submit a PR.  mktemp(1) should be ported to -stable to make
> > fixing/avoiding this type of thing easier.  Any takers?
> 
> It appears mktemp made it into RELENG_2_2 recently (I don't know how to 
> ask CVS yet). So maybe all that's left to do is fold it into the right 
> places?

Oh, good. :)  It was brought in last Saturday by obrien@freebsd.org, I
hadn't checked.  Here are the patches:

*** /usr/src/usr.bin/locate/locate/mklocatedb.sh	Sun Dec 21 16:43:09 1997
--- mklocatedb.sh	Sat Apr 25 13:00:10 1998
***************
*** 30,53 ****
  #
  # $Id: mklocatedb.sh,v 1.2.2.1 1997/12/13 18:21:02 sef Exp $
  
- 
  # The directory containing locate subprograms
  : ${LIBEXECDIR=/usr/libexec}; export LIBEXECDIR
  
  PATH=$LIBEXECDIR:/bin:/usr/bin:$PATH; export PATH
  
! umask 077			# protect temp files
  
! TMPDIR=${TMPDIR:-/tmp}; export TMPDIR
! if test X"$TMPDIR" = X -o ! -d "$TMPDIR"; then
! 	TMPDIR=/tmp; export TMPDIR
  fi
  
  # utilities to built locate database
  : ${bigram=locate.bigram}
  : ${code=locate.code}
  : ${sort=sort}
  
  
  sortopt="-u -T $TMPDIR"
  sortcmd=$sort
--- 30,58 ----
  #
  # $Id: mklocatedb.sh,v 1.2.2.1 1997/12/13 18:21:02 sef Exp $
  
  # The directory containing locate subprograms
  : ${LIBEXECDIR=/usr/libexec}; export LIBEXECDIR
  
  PATH=$LIBEXECDIR:/bin:/usr/bin:$PATH; export PATH
  
! bigrams=`mktemp -t mklocatedb`
! filelist=`mktemp -t mklocatedb`
  
! if [ -z "$bigrams" -o -z "$filelist" ]; then
! 	echo "`basename $0`: cannot create temporary files (check \$TMPDIR)" >&2
! 	exit 1
  fi
  
+ trap 'rm -f $bigrams $filelist' 0 1 2 3 5 10 15
+ 
  # utilities to built locate database
  : ${bigram=locate.bigram}
  : ${code=locate.code}
  : ${sort=sort}
  
+ if [ -z "$TMPDIR" -o ! -d "$TMPDIR" -o ! -w "$TMPDIR" ]; then
+ 	TMPDIR=/tmp; export TMPDIR
+ fi
  
  sortopt="-u -T $TMPDIR"
  sortcmd=$sort
***************
*** 56,68 ****
  case X"$1" in 
  	X-nosort|X-presort) sortcmd=cat; sortopt=;shift;; 
  esac
- 
- 
- bigrams=$TMPDIR/_mklocatedb$$.bigrams
- filelist=$TMPDIR/_mklocatedb$$.list
- 
- trap 'rm -f $bigrams $filelist' 0 1 2 3 5 10 15
- 
  
  if $sortcmd $sortopt > $filelist; then
          $bigram < $filelist | $sort -nr | 
--- 61,66 ----
*** /usr/src/usr.bin/locate/locate/concatdb.sh	Sun Dec 21 16:43:09 1997
--- concatdb.sh	Sat Apr 25 12:52:56 1998
***************
*** 37,64 ****
  
  PATH=$LIBEXECDIR:/bin:/usr/bin:$PATH; export PATH
  
- umask 077			# protect temp files
- 
- TMPDIR=${TMPDIR:-/tmp}; export TMPDIR;
- if test X"$TMPDIR" = X -o ! -d "$TMPDIR"; then
- 	TMPDIR=/tmp; export TMPDIR
- fi
- 
  # utilities to built locate database
  : ${bigram=locate.bigram}
  : ${code=locate.code}
  : ${sort=sort}
  : ${locate=locate}
  
- 
  case $# in 
!         [01]) 	echo 'usage: concatdb databases1 ... databaseN > newdb'
  		exit 1
  		;;
  esac
  
  
- bigrams=$TMPDIR/_concatdb$$.bigrams
  trap 'rm -f $bigrams' 0 1 2 3 5 10 15
  
  for db 
--- 37,60 ----
  
  PATH=$LIBEXECDIR:/bin:/usr/bin:$PATH; export PATH
  
  # utilities to built locate database
  : ${bigram=locate.bigram}
  : ${code=locate.code}
  : ${sort=sort}
  : ${locate=locate}
  
  case $# in 
!         [01]) 	echo "usage: `basename $0` databases1 ... databaseN > newdb" >&2
  		exit 1
  		;;
  esac
  
+ bigrams=`mktemp -t concatdb`
+ if [ -z "$bigrams" ]; then
+ 	echo "$0: cannot create temporary file (check \$TMPDIR)" >&2
+ 	exit 1
+ fi
  
  trap 'rm -f $bigrams' 0 1 2 3 5 10 15
  
  for db 
*** /usr/src/usr.bin/locate/locate/updatedb.sh	Sun Dec 21 16:43:09 1997
--- updatedb.sh	Sat Apr 25 13:03:16 1998
***************
*** 35,60 ****
  
  # The directory containing locate subprograms
  : ${LIBEXECDIR=/usr/libexec}; export LIBEXECDIR
- TMPDIR=${TMPDIR:-/tmp}; export TMPDIR
- if test X"$TMPDIR" = X -o ! -d "$TMPDIR"; then
- 	TMPDIR=/tmp; export TMPDIR
- fi
  
  PATH=$LIBEXECDIR:/bin:/usr/bin:$PATH; export PATH
  
  
! : ${mklocatedb=locate.mklocatedb}	 # make locate database program
! : ${FCODES=/var/db/locate.database}	 # the database
! : ${SEARCHPATHS="/"}		# directories to be put in the database
! : ${PRUNEPATHS="/tmp /usr/tmp /var/tmp"} # unwanted directories
! : ${FILESYSTEMS="ufs"}			 # allowed filesystems 
  : ${find=find}
  
  case X"$SEARCHPATHS" in 
! 	X) echo "$0: empty variable SEARCHPATHS"; exit 1;; esac
  case X"$FILESYSTEMS" in 
! 	X) echo "$0: empty variable FILESYSTEMS"; exit 1;; esac
  
  # Make a list a paths to exclude in the locate run
  excludes="! (" or=""
  for fstype in $FILESYSTEMS
--- 35,61 ----
  
  # The directory containing locate subprograms
  : ${LIBEXECDIR=/usr/libexec}; export LIBEXECDIR
  
  PATH=$LIBEXECDIR:/bin:/usr/bin:$PATH; export PATH
  
  
! : ${mklocatedb=locate.mklocatedb}	# make locate database program
! : ${FCODES=/var/db/locate.database}	# the database
! : ${SEARCHPATHS="/"}			# directories to be put in the database
! : ${PRUNEPATHS="/tmp /usr/tmp /var/tmp"}	# unwanted directories
! : ${FILESYSTEMS="ufs"}			# allowed filesystems 
  : ${find=find}
  
  case X"$SEARCHPATHS" in 
! 	X) echo "`basename $0`: empty variable SEARCHPATHS" >&2; exit 1;; esac
  case X"$FILESYSTEMS" in 
! 	X) echo "`basename $0`: empty variable FILESYSTEMS" >&2; exit 1;; esac
  
+ if [ "`id -un`" != "nobody" ]; then
+ 	echo "`basename $0`: this script should be run as the user \"nobody\"" >&2
+ 	exit 1;
+ fi
+ 	
  # Make a list a paths to exclude in the locate run
  excludes="! (" or=""
  for fstype in $FILESYSTEMS
***************
*** 72,78 ****
  	   done;;
  esac
  
! tmp=$TMPDIR/_updatedb$$
  trap 'rm -f $tmp' 0 1 2 3 5 10 15
  		
  # search locally
--- 73,84 ----
  	   done;;
  esac
  
! tmp=`mktemp -t updatedb`
! if [ -z "$tmp" ]; then
! 	echo "`basename $0`: cannot create temporary file (check \$TMPDIR)" >&2
! 	exit 1
! fi
! 
  trap 'rm -f $tmp' 0 1 2 3 5 10 15
  		
  # search locally
***************
*** 82,88 ****
  then
  	case X"`$find $tmp -size -257c -print`" in
  		X) cat $tmp > $FCODES;;
! 		*) echo "updatedb: locate database $tmp is empty"
  		   exit 1
  	esac
  fi
--- 88,96 ----
  then
  	case X"`$find $tmp -size -257c -print`" in
  		X) cat $tmp > $FCODES;;
! 		*) echo "`basename $0`: locate database $tmp is empty" >&2
  		   exit 1
  	esac
  fi
+ 
+ chmod 444 $FCODES
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807212154.WAA02317>