Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Apr 2002 13:03:54 -0700 (PDT)
From:      Thomas Cannon <tcannon@noops.org>
To:        <freebsd-questions@FreeBSD.ORG>
Cc:        <security-officer@freebsd.org>
Subject:   I think this could be better
Message-ID:  <20020418121731.O4793-100000@stereophonic.noops.org>
next in thread | raw e-mail | index | archive | help 
I just did a "make world" and noticed this go zipping by:

mkdir -p /tmp/install.33931
for prog in [ awk cat chflags chmod chown date echo egrep find grep  ln
make makewhatis mtree mv perl rm sed sh sysctl  test true uname wc zic; do
cp `which $prog` /tmp/install.33931;  done

I killed it and took a look around and saw that yes, indeed, we're
running (via make) a shell script (as root) that makes temporary files in
a world-writable directory, without checking to see if it exists first, with
a predictable name. Then it indiscriminately deletes all of it.

From the included Makefile.inc1:

installworld:
        mkdir -p ${INSTALLTMP}
        for prog in [ awk cat chflags chmod chown date echo egrep find
grep \
            ln make makewhatis mtree mv perl rm sed sh sysctl \
            test true uname wc zic; do \
                cp `which $$prog` ${INSTALLTMP}; \
        done
        cd ${.CURDIR}; ${IMAKE} reinstall
        rm -rf ${INSTALLTMP}


Of course, it does say pretty clearly in the documentation that doing this
in multi-user space is a bad idea:

"You may want to compile the system in single user mode. Apart from the
obvious benefit of making things go slightly faster, reinstalling the
system will touch a lot of important system files, all the standard system
binaries, libraries, include files and so on. Changing these on a running
system (particularly if you have active users on the system at the time)
is asking for trouble."

But all that means is that as an attacker I just need to make the
files/symlinks in advance and wait, which is what they'd have to do
anyway.

I could very easily be missing something. It frequently happens. I feel
like I must be, as I'd expect developers to be more prudent and use a
non-public temporary space just out of reflex. Is there some safety check
that I'm not seeing?

Thanks in advance,

-tcannon

--
Thomas Cannon, CISSP, FNCNE, CCDP, CCNP, SCSA, SCNA, CCDA, CCNA
Unified Computing (415) 533-5294


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020418121731.O4793-100000>