Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 May 1999 22:08:27 +0930 (CST)
From:      Kris Kennaway <kkennawa@physics.adelaide.edu.au>
To:        hackers@freebsd.org
Subject:   Patch for make -j exploit
Message-ID:  <Pine.OSF.4.10.9905152156080.5879-200000@bragg>

next in thread | raw e-mail | index | archive | help
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-1802820351-926771603=:5879
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.OSF.4.10.9905152205491.5879@bragg>

make -j creates temporary files for the purpose of storing shell commands -
unfortunately, it just names them /tmp/makeXXXXX where XXXXX is the PID of the
parent process. This leads to a potential DoS exploit wherein a user can guess
the PID of the make process and create symlinks to, say /etc/passwd, which
will be followed when root runs make -j, and overwritten (in practise it's
necessary to 'mine' /tmp with a thousand or so consecutive symlinks to
increase the chances of the PID landing in the range). This is of course only
possible if root runs a parallel make on a system with a malicious user, but I
still consider it a possibility.

The attached patches seem to rectify this problem - can someone please review
them?

Kris

-----
"That suit's sharper than a page of Oscar Wilde witticisms that's been
rolled up into a point, sprinkled with lemon juice and jabbed into
someone's eye"
"Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_

--0-1802820351-926771603=:5879
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="make.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.OSF.4.10.9905152203220.5879@bragg>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="make.patch"

SW5kZXg6IGpvYi5jDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmls
ZTogL2hvbWUvbmN2cy9zcmMvdXNyLmJpbi9tYWtlL2pvYi5jLHYNCnJldHJp
ZXZpbmcgcmV2aXNpb24gMS4xMg0KZGlmZiAtdSAtcjEuMTIgam9iLmMNCi0t
LSBqb2IuYwkxOTk5LzAyLzE0IDIyOjIyOjQyCTEuMTINCisrKyBqb2IuYwkx
OTk5LzA1LzE1IDEyOjI0OjE5DQpAQCAtMTYxLDEzICsxNjEsMTAgQEANCiAN
CiAvKg0KICAqIHRmaWxlIGlzIHRoZSBuYW1lIG9mIGEgZmlsZSBpbnRvIHdo
aWNoIGFsbCBzaGVsbCBjb21tYW5kcyBhcmUgcHV0LiBJdCBpcw0KLSAqIHVz
ZWQgb3ZlciBieSByZW1vdmluZyBpdCBiZWZvcmUgdGhlIGNoaWxkIHNoZWxs
IGlzIGV4ZWN1dGVkLiBUaGUgWFhYWFggaW4NCi0gKiB0aGUgc3RyaW5nIGFy
ZSByZXBsYWNlZCBieSB0aGUgcGlkIG9mIHRoZSBtYWtlIHByb2Nlc3MgaW4g
YSA1LWNoYXJhY3Rlcg0KLSAqIGZpZWxkIHdpdGggbGVhZGluZyB6ZXJvZXMu
DQorICogcmVtb3ZlZCBiZWZvcmUgdGhlIGNoaWxkIHNoZWxsIGlzIGV4ZWN1
dGVkLg0KICAqLw0KIHN0YXRpYyBjaGFyICAgICB0ZmlsZVtdID0gVE1QUEFU
Ow0KIA0KLQ0KIC8qDQogICogRGVzY3JpcHRpb25zIGZvciB2YXJpb3VzIHNo
ZWxscy4NCiAgKi8NCkBAIC0xNjY0LDcgKzE2NjEsNiBAQA0KIHsNCiAgICAg
cmVnaXN0ZXIgSm9iICAqam9iOyAgICAgICAvKiBuZXcgam9iIGRlc2NyaXB0
b3IgKi8NCiAgICAgY2hhcgkgICphcmd2WzRdOyAgIC8qIEFyZ3VtZW50IHZl
Y3RvciB0byBzaGVsbCAqLw0KLSAgICBzdGF0aWMgaW50ICAgIGpvYm5vID0g
MDsgIC8qIGpvYiBudW1iZXIgb2YgY2F0Y2hpbmcgb3V0cHV0IGluIGEgZmls
ZSAqLw0KICAgICBCb29sZWFuCSAgY21kc09LOyAgICAgLyogdHJ1ZSBpZiB0
aGUgbm9kZXMgY29tbWFuZHMgd2VyZSBhbGwgcmlnaHQgKi8NCiAgICAgQm9v
bGVhbiAJICBsb2NhbDsgICAgICAvKiBTZXQgdHJ1ZSBpZiB0aGUgam9iIHdh
cyBydW4gbG9jYWxseSAqLw0KICAgICBCb29sZWFuIAkgIG5vRXhlYzsgICAg
IC8qIFNldCB0cnVlIGlmIHdlIGRlY2lkZSBub3QgdG8gcnVuIHRoZSBqb2Ig
Ki8NCkBAIC0xODcxLDggKzE4NjcsNyBAQA0KICAgICAvKg0KICAgICAgKiBJ
ZiB3ZSdyZSB1c2luZyBwaXBlcyB0byBjYXRjaCBvdXRwdXQsIGNyZWF0ZSB0
aGUgcGlwZSBieSB3aGljaCB3ZSdsbA0KICAgICAgKiBnZXQgdGhlIHNoZWxs
J3Mgb3V0cHV0LiBJZiB3ZSdyZSB1c2luZyBmaWxlcywgcHJpbnQgb3V0IHRo
YXQgd2UncmUNCi0gICAgICogc3RhcnRpbmcgYSBqb2IgYW5kIHRoZW4gc2V0
IHVwIGl0cyB0ZW1wb3JhcnktZmlsZSBuYW1lLiBUaGlzIGlzIGp1c3QNCi0g
ICAgICogdGZpbGUgd2l0aCB0d28gZXh0cmEgZGlnaXRzIHRhY2tlZCBvbiAt
LSBqb2Juby4NCisgICAgICogc3RhcnRpbmcgYSBqb2IgYW5kIHRoZW4gc2V0
IHVwIGl0cyB0ZW1wb3JhcnktZmlsZSBuYW1lLg0KICAgICAgKi8NCiAgICAg
aWYgKCFjb21wYXRNYWtlIHx8IChqb2ItPmZsYWdzICYgSk9CX0ZJUlNUKSkg
ew0KIAlpZiAodXNlUGlwZXMpIHsNCkBAIC0xODg2LDkgKzE4ODEsOCBAQA0K
IAl9IGVsc2Ugew0KIAkgICAgKHZvaWQpIGZwcmludGYoc3Rkb3V0LCAiUmVt
YWtpbmcgYCVzJ1xuIiwgZ24tPm5hbWUpOw0KICAgCSAgICAodm9pZCkgZmZs
dXNoKHN0ZG91dCk7DQotCSAgICBzcHJpbnRmKGpvYi0+b3V0RmlsZSwgIiVz
JTAyZCIsIHRmaWxlLCBqb2Jubyk7DQotCSAgICBqb2JubyA9IChqb2JubyAr
IDEpICUgMTAwOw0KLQkgICAgam9iLT5vdXRGZCA9IG9wZW4oam9iLT5vdXRG
aWxlLE9fV1JPTkxZfE9fQ1JFQVR8T19BUFBFTkQsMDYwMCk7DQorCSAgICBz
dHJjcHkoam9iLT5vdXRGaWxlLCBUTVBQQVQpOw0KKwkgICAgam9iLT5vdXRG
ZCA9IG1rc3RlbXAoam9iLT5vdXRGaWxlKTsNCiAJICAgICh2b2lkKSBmY250
bChqb2ItPm91dEZkLCBGX1NFVEZELCAxKTsNCiAJfQ0KICAgICB9DQpAQCAt
MjQwNSw3ICsyMzk5LDcgQEANCiB7DQogICAgIEdOb2RlICAgICAgICAgKmJl
Z2luOyAgICAgLyogbm9kZSBmb3IgY29tbWFuZHMgdG8gZG8gYXQgdGhlIHZl
cnkgc3RhcnQgKi8NCiANCi0gICAgKHZvaWQpIHNwcmludGYodGZpbGUsICIv
dG1wL21ha2UlMDVkIiwgZ2V0cGlkKCkpOw0KKyAgICAodm9pZCkgbWt0ZW1w
KHRmaWxlKTsNCiANCiAgICAgam9icyA9ICAJICBMc3RfSW5pdChGQUxTRSk7
DQogICAgIHN0b3BwZWRKb2JzID0gTHN0X0luaXQoRkFMU0UpOw0KSW5kZXg6
IGpvYi5oDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hv
bWUvbmN2cy9zcmMvdXNyLmJpbi9tYWtlL2pvYi5oLHYNCnJldHJpZXZpbmcg
cmV2aXNpb24gMS44DQpkaWZmIC11IC1yMS44IGpvYi5oDQotLS0gam9iLmgJ
MTk5Ny8wNC8yMSAyMDozMjoxMQkxLjgNCisrKyBqb2IuaAkxOTk5LzA1LzE1
IDEwOjQ0OjQxDQpAQCAtNDcsNyArNDcsNyBAQA0KICNpZm5kZWYgX0pPQl9I
Xw0KICNkZWZpbmUgX0pPQl9IXw0KIA0KLSNkZWZpbmUgVE1QUEFUCSIvdG1w
L21ha2VYWFhYWCINCisjZGVmaW5lIFRNUFBBVAkiL3RtcC9tYWtlWFhYWFhY
WFgiDQogDQogLyoNCiAgKiBUaGUgU0VMXyBjb25zdGFudHMgZGV0ZXJtaW5l
IHRoZSBtYXhpbXVtIGFtb3VudCBvZiB0aW1lIHNwZW50IGluIHNlbGVjdA0K
QEAgLTEyOCw3ICsxMjgsNyBAQA0KIAl9ICAgCSAgICBvX3BpcGU7CSAgICAv
KiBkYXRhIHVzZWQgd2hlbiBjYXRjaGluZyB0aGUgb3V0cHV0IHZpYQ0KIAkJ
CQkgICAgICogYSBwaXBlICovDQogCXN0cnVjdCB7DQotCSAgICBjaGFyICAJ
b2Zfb3V0RmlsZVtzaXplb2YoVE1QUEFUKSsyXTsNCisJICAgIGNoYXIgIAlv
Zl9vdXRGaWxlW3NpemVvZihUTVBQQVQpXTsNCiAJICAgIAkgIAkgICAgCSAg
ICAJLyogTmFtZSBvZiBmaWxlIHRvIHdoaWNoIHNoZWxsIG91dHB1dA0KIAkJ
CQkJICogd2FzIHJlcm91dGVkICovDQogCSAgICBpbnQJICAgIAlvZl9vdXRG
ZDsJLyogU3RyZWFtIG9wZW4gdG8gdGhlIG91dHB1dA0KSW5kZXg6IG1haW4u
Yw0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNTIGZpbGU6IC9ob21lL25j
dnMvc3JjL3Vzci5iaW4vbWFrZS9tYWluLmMsdg0KcmV0cmlldmluZyByZXZp
c2lvbiAxLjMwDQpkaWZmIC11IC1yMS4zMCBtYWluLmMNCi0tLSBtYWluLmMJ
MTk5OS8wMy8wMSAwNjowMTowNQkxLjMwDQorKysgbWFpbi5jCTE5OTkvMDUv
MTUgMDc6NTM6MTgNCkBAIC0xMjUzLDcgKzEyNTMsNyBAQA0KIH0NCiANCiAv
Kg0KLSAqIGVudW5saW5rIC0tDQorICogZXVubGluayAtLQ0KICAqCVJlbW92
ZSBhIGZpbGUgY2FyZWZ1bGx5LCBhdm9pZGluZyBkaXJlY3Rvcmllcy4NCiAg
Ki8NCiBpbnQNCg==
--0-1802820351-926771603=:5879--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905152156080.5879-200000>