Date: Wed, 21 Nov 2001 15:10:52 -0500 (EST) From: The Anarcat <anarcat@anarcat.dyndns.org> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/32172: pkg_add creates its temporary directories world writable Message-ID: <20011121201052.8215920ADB@shall.anarcat.dyndns.org>
next in thread | raw e-mail | index | archive | help
>Number: 32172 >Category: bin >Synopsis: pkg_add creates its temporary directories world writable >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 21 12:10:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: The Anarcat >Release: FreeBSD 4.4-STABLE i386 >Organization: Nada, Inc. >Environment: System: FreeBSD shall.anarcat.dyndns.org 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Nov 16 12:57:38 EST 2001 anarcat@shall.anarcat.dyndns.org:/usr/obj/usr/src/sys/SHALL i386 >Description: pkg_add, when untarring a package prior to its installation, creates all directories in this package with world-writable protection. Since some packages are pretty big (eg. XFree86), the time during which these directories are available is not negligeable and is most definitly enough to hack some of the binaries getting installed. Vital third-party programs such as httpd or xterm can be easily overwritten by a third party. >How-To-Repeat: unsuspecting_admin# pkg_add XFree86 <wait>... evil_attacker$ cd /var/tmp/inst* evil_attacker$ cd bin evil_attacker$ mv ~/my_hacked_xfree_server XFree86 evil_attacker$ <grin> >Fix: I think I found out why it's doing this... When you use the -p switch in tar invocations on packages, directories gets created as 777!!! The problem is in file.c: --- /usr/src/usr.sbin/pkg_install/lib/file.c Thu Nov 15 16:35:52 2001 +++ /home/anarcat/file.c Wed Nov 21 15:01:10 2001 @@ -465,7 +465,7 @@ } else strcpy(args, "-z"); - strcat(args, " -xpf"); + strcat(args, " -xf"); if (vsystem("tar %s '%s' %s", args, pkg, flist ? flist : "")) { warnx("tar extract of %s failed!", pkg); return 1; This might cause problems with special permissions on packages with suid binaries, though. I'm not sure of what the effect of -p actually is, but a quick test shows tar keeps suid permissions, even without it. Anyone has an idea why -p was there in the first place??? >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121201052.8215920ADB>