Date: Wed, 21 Nov 2001 15:10:52 -0500 (EST) From: The Anarcat <anarcat@anarcat.dyndns.org> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/32172: pkg_add creates its temporary directories world writable Message-ID: <20011121201052.8215920ADB@shall.anarcat.dyndns.org>
next in thread | raw e-mail | index | archive | help
>Number: 32172
>Category: bin
>Synopsis: pkg_add creates its temporary directories world writable
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 21 12:10:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: The Anarcat
>Release: FreeBSD 4.4-STABLE i386
>Organization:
Nada, Inc.
>Environment:
System: FreeBSD shall.anarcat.dyndns.org 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Nov 16 12:57:38 EST 2001 anarcat@shall.anarcat.dyndns.org:/usr/obj/usr/src/sys/SHALL i386
>Description:
pkg_add, when untarring a package prior to its installation, creates all
directories in this package with world-writable protection. Since some
packages are pretty big (eg. XFree86), the time during which these
directories are available is not negligeable and is most definitly
enough to hack some of the binaries getting installed.
Vital third-party programs such as httpd or xterm can be easily
overwritten by a third party.
>How-To-Repeat:
unsuspecting_admin# pkg_add XFree86
<wait>...
evil_attacker$ cd /var/tmp/inst*
evil_attacker$ cd bin
evil_attacker$ mv ~/my_hacked_xfree_server XFree86
evil_attacker$ <grin>
>Fix:
I think I found out why it's doing this... When you use the -p switch in
tar invocations on packages, directories gets created as 777!!!
The problem is in file.c:
--- /usr/src/usr.sbin/pkg_install/lib/file.c Thu Nov 15 16:35:52 2001
+++ /home/anarcat/file.c Wed Nov 21 15:01:10 2001
@@ -465,7 +465,7 @@
}
else
strcpy(args, "-z");
- strcat(args, " -xpf");
+ strcat(args, " -xf");
if (vsystem("tar %s '%s' %s", args, pkg, flist ? flist : "")) {
warnx("tar extract of %s failed!", pkg);
return 1;
This might cause problems with special permissions on packages with suid
binaries, though. I'm not sure of what the effect of -p actually is, but
a quick test shows tar keeps suid permissions, even without it.
Anyone has an idea why -p was there in the first place???
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121201052.8215920ADB>