Date: Sat, 15 May 1999 22:08:27 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: hackers@freebsd.org Subject: Patch for make -j exploit Message-ID: <Pine.OSF.4.10.9905152156080.5879-200000@bragg>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1802820351-926771603=:5879 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.OSF.4.10.9905152205491.5879@bragg> make -j creates temporary files for the purpose of storing shell commands - unfortunately, it just names them /tmp/makeXXXXX where XXXXX is the PID of the parent process. This leads to a potential DoS exploit wherein a user can guess the PID of the make process and create symlinks to, say /etc/passwd, which will be followed when root runs make -j, and overwritten (in practise it's necessary to 'mine' /tmp with a thousand or so consecutive symlinks to increase the chances of the PID landing in the range). This is of course only possible if root runs a parallel make on a system with a malicious user, but I still consider it a possibility. The attached patches seem to rectify this problem - can someone please review them? Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ --0-1802820351-926771603=:5879 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="make.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.OSF.4.10.9905152203220.5879@bragg> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="make.patch" SW5kZXg6IGpvYi5jDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmls ZTogL2hvbWUvbmN2cy9zcmMvdXNyLmJpbi9tYWtlL2pvYi5jLHYNCnJldHJp ZXZpbmcgcmV2aXNpb24gMS4xMg0KZGlmZiAtdSAtcjEuMTIgam9iLmMNCi0t LSBqb2IuYwkxOTk5LzAyLzE0IDIyOjIyOjQyCTEuMTINCisrKyBqb2IuYwkx OTk5LzA1LzE1IDEyOjI0OjE5DQpAQCAtMTYxLDEzICsxNjEsMTAgQEANCiAN CiAvKg0KICAqIHRmaWxlIGlzIHRoZSBuYW1lIG9mIGEgZmlsZSBpbnRvIHdo aWNoIGFsbCBzaGVsbCBjb21tYW5kcyBhcmUgcHV0LiBJdCBpcw0KLSAqIHVz ZWQgb3ZlciBieSByZW1vdmluZyBpdCBiZWZvcmUgdGhlIGNoaWxkIHNoZWxs IGlzIGV4ZWN1dGVkLiBUaGUgWFhYWFggaW4NCi0gKiB0aGUgc3RyaW5nIGFy ZSByZXBsYWNlZCBieSB0aGUgcGlkIG9mIHRoZSBtYWtlIHByb2Nlc3MgaW4g YSA1LWNoYXJhY3Rlcg0KLSAqIGZpZWxkIHdpdGggbGVhZGluZyB6ZXJvZXMu DQorICogcmVtb3ZlZCBiZWZvcmUgdGhlIGNoaWxkIHNoZWxsIGlzIGV4ZWN1 dGVkLg0KICAqLw0KIHN0YXRpYyBjaGFyICAgICB0ZmlsZVtdID0gVE1QUEFU Ow0KIA0KLQ0KIC8qDQogICogRGVzY3JpcHRpb25zIGZvciB2YXJpb3VzIHNo ZWxscy4NCiAgKi8NCkBAIC0xNjY0LDcgKzE2NjEsNiBAQA0KIHsNCiAgICAg cmVnaXN0ZXIgSm9iICAqam9iOyAgICAgICAvKiBuZXcgam9iIGRlc2NyaXB0 b3IgKi8NCiAgICAgY2hhcgkgICphcmd2WzRdOyAgIC8qIEFyZ3VtZW50IHZl Y3RvciB0byBzaGVsbCAqLw0KLSAgICBzdGF0aWMgaW50ICAgIGpvYm5vID0g MDsgIC8qIGpvYiBudW1iZXIgb2YgY2F0Y2hpbmcgb3V0cHV0IGluIGEgZmls ZSAqLw0KICAgICBCb29sZWFuCSAgY21kc09LOyAgICAgLyogdHJ1ZSBpZiB0 aGUgbm9kZXMgY29tbWFuZHMgd2VyZSBhbGwgcmlnaHQgKi8NCiAgICAgQm9v bGVhbiAJICBsb2NhbDsgICAgICAvKiBTZXQgdHJ1ZSBpZiB0aGUgam9iIHdh cyBydW4gbG9jYWxseSAqLw0KICAgICBCb29sZWFuIAkgIG5vRXhlYzsgICAg IC8qIFNldCB0cnVlIGlmIHdlIGRlY2lkZSBub3QgdG8gcnVuIHRoZSBqb2Ig Ki8NCkBAIC0xODcxLDggKzE4NjcsNyBAQA0KICAgICAvKg0KICAgICAgKiBJ ZiB3ZSdyZSB1c2luZyBwaXBlcyB0byBjYXRjaCBvdXRwdXQsIGNyZWF0ZSB0 aGUgcGlwZSBieSB3aGljaCB3ZSdsbA0KICAgICAgKiBnZXQgdGhlIHNoZWxs J3Mgb3V0cHV0LiBJZiB3ZSdyZSB1c2luZyBmaWxlcywgcHJpbnQgb3V0IHRo YXQgd2UncmUNCi0gICAgICogc3RhcnRpbmcgYSBqb2IgYW5kIHRoZW4gc2V0 IHVwIGl0cyB0ZW1wb3JhcnktZmlsZSBuYW1lLiBUaGlzIGlzIGp1c3QNCi0g ICAgICogdGZpbGUgd2l0aCB0d28gZXh0cmEgZGlnaXRzIHRhY2tlZCBvbiAt LSBqb2Juby4NCisgICAgICogc3RhcnRpbmcgYSBqb2IgYW5kIHRoZW4gc2V0 IHVwIGl0cyB0ZW1wb3JhcnktZmlsZSBuYW1lLg0KICAgICAgKi8NCiAgICAg aWYgKCFjb21wYXRNYWtlIHx8IChqb2ItPmZsYWdzICYgSk9CX0ZJUlNUKSkg ew0KIAlpZiAodXNlUGlwZXMpIHsNCkBAIC0xODg2LDkgKzE4ODEsOCBAQA0K IAl9IGVsc2Ugew0KIAkgICAgKHZvaWQpIGZwcmludGYoc3Rkb3V0LCAiUmVt YWtpbmcgYCVzJ1xuIiwgZ24tPm5hbWUpOw0KICAgCSAgICAodm9pZCkgZmZs dXNoKHN0ZG91dCk7DQotCSAgICBzcHJpbnRmKGpvYi0+b3V0RmlsZSwgIiVz JTAyZCIsIHRmaWxlLCBqb2Jubyk7DQotCSAgICBqb2JubyA9IChqb2JubyAr IDEpICUgMTAwOw0KLQkgICAgam9iLT5vdXRGZCA9IG9wZW4oam9iLT5vdXRG aWxlLE9fV1JPTkxZfE9fQ1JFQVR8T19BUFBFTkQsMDYwMCk7DQorCSAgICBz dHJjcHkoam9iLT5vdXRGaWxlLCBUTVBQQVQpOw0KKwkgICAgam9iLT5vdXRG ZCA9IG1rc3RlbXAoam9iLT5vdXRGaWxlKTsNCiAJICAgICh2b2lkKSBmY250 bChqb2ItPm91dEZkLCBGX1NFVEZELCAxKTsNCiAJfQ0KICAgICB9DQpAQCAt MjQwNSw3ICsyMzk5LDcgQEANCiB7DQogICAgIEdOb2RlICAgICAgICAgKmJl Z2luOyAgICAgLyogbm9kZSBmb3IgY29tbWFuZHMgdG8gZG8gYXQgdGhlIHZl cnkgc3RhcnQgKi8NCiANCi0gICAgKHZvaWQpIHNwcmludGYodGZpbGUsICIv dG1wL21ha2UlMDVkIiwgZ2V0cGlkKCkpOw0KKyAgICAodm9pZCkgbWt0ZW1w KHRmaWxlKTsNCiANCiAgICAgam9icyA9ICAJICBMc3RfSW5pdChGQUxTRSk7 DQogICAgIHN0b3BwZWRKb2JzID0gTHN0X0luaXQoRkFMU0UpOw0KSW5kZXg6 IGpvYi5oDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hv bWUvbmN2cy9zcmMvdXNyLmJpbi9tYWtlL2pvYi5oLHYNCnJldHJpZXZpbmcg cmV2aXNpb24gMS44DQpkaWZmIC11IC1yMS44IGpvYi5oDQotLS0gam9iLmgJ MTk5Ny8wNC8yMSAyMDozMjoxMQkxLjgNCisrKyBqb2IuaAkxOTk5LzA1LzE1 IDEwOjQ0OjQxDQpAQCAtNDcsNyArNDcsNyBAQA0KICNpZm5kZWYgX0pPQl9I Xw0KICNkZWZpbmUgX0pPQl9IXw0KIA0KLSNkZWZpbmUgVE1QUEFUCSIvdG1w L21ha2VYWFhYWCINCisjZGVmaW5lIFRNUFBBVAkiL3RtcC9tYWtlWFhYWFhY WFgiDQogDQogLyoNCiAgKiBUaGUgU0VMXyBjb25zdGFudHMgZGV0ZXJtaW5l IHRoZSBtYXhpbXVtIGFtb3VudCBvZiB0aW1lIHNwZW50IGluIHNlbGVjdA0K QEAgLTEyOCw3ICsxMjgsNyBAQA0KIAl9ICAgCSAgICBvX3BpcGU7CSAgICAv KiBkYXRhIHVzZWQgd2hlbiBjYXRjaGluZyB0aGUgb3V0cHV0IHZpYQ0KIAkJ CQkgICAgICogYSBwaXBlICovDQogCXN0cnVjdCB7DQotCSAgICBjaGFyICAJ b2Zfb3V0RmlsZVtzaXplb2YoVE1QUEFUKSsyXTsNCisJICAgIGNoYXIgIAlv Zl9vdXRGaWxlW3NpemVvZihUTVBQQVQpXTsNCiAJICAgIAkgIAkgICAgCSAg ICAJLyogTmFtZSBvZiBmaWxlIHRvIHdoaWNoIHNoZWxsIG91dHB1dA0KIAkJ CQkJICogd2FzIHJlcm91dGVkICovDQogCSAgICBpbnQJICAgIAlvZl9vdXRG ZDsJLyogU3RyZWFtIG9wZW4gdG8gdGhlIG91dHB1dA0KSW5kZXg6IG1haW4u Yw0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNTIGZpbGU6IC9ob21lL25j dnMvc3JjL3Vzci5iaW4vbWFrZS9tYWluLmMsdg0KcmV0cmlldmluZyByZXZp c2lvbiAxLjMwDQpkaWZmIC11IC1yMS4zMCBtYWluLmMNCi0tLSBtYWluLmMJ MTk5OS8wMy8wMSAwNjowMTowNQkxLjMwDQorKysgbWFpbi5jCTE5OTkvMDUv MTUgMDc6NTM6MTgNCkBAIC0xMjUzLDcgKzEyNTMsNyBAQA0KIH0NCiANCiAv Kg0KLSAqIGVudW5saW5rIC0tDQorICogZXVubGluayAtLQ0KICAqCVJlbW92 ZSBhIGZpbGUgY2FyZWZ1bGx5LCBhdm9pZGluZyBkaXJlY3Rvcmllcy4NCiAg Ki8NCiBpbnQNCg== --0-1802820351-926771603=:5879-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905152156080.5879-200000>