From owner-freebsd-security Wed Nov 21 11:37:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 51ED337B405 for ; Wed, 21 Nov 2001 11:37:14 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id fALJbD401285; Wed, 21 Nov 2001 13:37:13 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA14759; Wed, 21 Nov 2001 13:37:12 -0600 (CST) Message-ID: <3BFC025D.36710154@centtech.com> Date: Wed, 21 Nov 2001 13:37:01 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: The Anarcat Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add References: <20011121191808.GD44370@shall.anarcat.dyndns.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The only danger I see is a potential that the user could replace the binary with a hacked version, between untaring and installing, creating a breach. Other than that, it's the same as a /var/tmp directory almost. Although I see what you are saying, and do think this could be a potential problem.. Eric The Anarcat wrote: > > Hi! > > I just noticed something that could be a problem with pkg_add > algorithms. When it installs a package, it first untars it in a > temporary directory. The problem is that the subdirectories of the > package created this way are world-writable: > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz > $ pkg_add auctex-10.0g.tgz > ^Z > $ ls -l /var/tmp/inst* > total 23 > -rw-r--r-- 1 root wheel 57 12 nov 02:07 +COMMENT > -rw-r--r-- 1 root wheel 11223 12 nov 02:07 +CONTENTS > -rw-r--r-- 1 root wheel 1224 12 nov 02:07 +DESC > -rw-r--r-- 1 root wheel 815 12 nov 02:07 +DISPLAY > -r--r--r-- 1 root wheel 5181 12 nov 02:07 +MTREE_DIRS > drwxrwxrwx 2 root wheel 512 21 nov 14:15 info/ > drwxrwxrwx 4 root wheel 512 21 nov 14:15 share/ > > Lovely. I don't exactly know why it happens this way. > > I think this could be a security problem if a random user happens to run > around /var/tmp while the admin is adding a package. > > Am I wrong? > > A. > > ------------------------------------------------------------ > Part 1.2Type: application/pgp-signature -- ------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology An unbreakable toy is useful for breaking other toys. ------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message