From owner-freebsd-questions  Thu Apr 18 13: 4:22 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from stereophonic.noops.org (adsl-66-127-227-196.dsl.sntc01.pacbell.net [66.127.227.196])
	by hub.freebsd.org (Postfix) with SMTP id CEFCA37B417
	for <freebsd-questions@FreeBSD.ORG>; Thu, 18 Apr 2002 13:03:55 -0700 (PDT)
Received: (qmail 5463 invoked by uid 1000); 18 Apr 2002 20:03:54 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 18 Apr 2002 20:03:54 -0000
Date: Thu, 18 Apr 2002 13:03:54 -0700 (PDT)
From: Thomas Cannon <tcannon@noops.org>
To: <freebsd-questions@FreeBSD.ORG>
Cc: <security-officer@freebsd.org>
Subject: I think this could be better
Message-ID: <20020418121731.O4793-100000@stereophonic.noops.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I just did a "make world" and noticed this go zipping by:

mkdir -p /tmp/install.33931
for prog in [ awk cat chflags chmod chown date echo egrep find grep  ln
make makewhatis mtree mv perl rm sed sh sysctl  test true uname wc zic; do
cp `which $prog` /tmp/install.33931;  done

I killed it and took a look around and saw that yes, indeed, we're
running (via make) a shell script (as root) that makes temporary files in
a world-writable directory, without checking to see if it exists first, with
a predictable name. Then it indiscriminately deletes all of it.

From the included Makefile.inc1:

installworld:
        mkdir -p ${INSTALLTMP}
        for prog in [ awk cat chflags chmod chown date echo egrep find
grep \
            ln make makewhatis mtree mv perl rm sed sh sysctl \
            test true uname wc zic; do \
                cp `which $$prog` ${INSTALLTMP}; \
        done
        cd ${.CURDIR}; ${IMAKE} reinstall
        rm -rf ${INSTALLTMP}


Of course, it does say pretty clearly in the documentation that doing this
in multi-user space is a bad idea:

"You may want to compile the system in single user mode. Apart from the
obvious benefit of making things go slightly faster, reinstalling the
system will touch a lot of important system files, all the standard system
binaries, libraries, include files and so on. Changing these on a running
system (particularly if you have active users on the system at the time)
is asking for trouble."

But all that means is that as an attacker I just need to make the
files/symlinks in advance and wait, which is what they'd have to do
anyway.

I could very easily be missing something. It frequently happens. I feel
like I must be, as I'd expect developers to be more prudent and use a
non-public temporary space just out of reflex. Is there some safety check
that I'm not seeing?

Thanks in advance,

-tcannon

--
Thomas Cannon, CISSP, FNCNE, CCDP, CCNP, SCSA, SCNA, CCDA, CCNA
Unified Computing (415) 533-5294


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message