Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Nov 2001 13:37:01 -0600
From:      Eric Anderson <anderson@centtech.com>
To:        The Anarcat <anarcat@anarcat.dyndns.org>
Cc:        FreeBSD Security Issues <FreeBSD-security@freebsd.org>
Subject:   Re: fun with pkg_add
Message-ID:  <3BFC025D.36710154@centtech.com>
References:  <20011121191808.GD44370@shall.anarcat.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
The only danger I see is a potential that the user could
replace the binary with a hacked version, between untaring
and installing, creating a breach.  Other than that, it's
the same as a /var/tmp directory almost.  Although I see
what you are saying, and do think this could be a potential
problem..

Eric



The Anarcat wrote:
> 
> Hi!
> 
> I just noticed something that could be a problem with pkg_add
> algorithms. When it installs a package, it first untars it in a
> temporary directory. The problem is that the subdirectories of the
> package created this way are world-writable:
> 
> $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10.0g.tgz
> $ pkg_add auctex-10.0g.tgz
> ^Z
> $ ls -l /var/tmp/inst*
> total 23
> -rw-r--r--  1 root  wheel     57 12 nov 02:07 +COMMENT
> -rw-r--r--  1 root  wheel  11223 12 nov 02:07 +CONTENTS
> -rw-r--r--  1 root  wheel   1224 12 nov 02:07 +DESC
> -rw-r--r--  1 root  wheel    815 12 nov 02:07 +DISPLAY
> -r--r--r--  1 root  wheel   5181 12 nov 02:07 +MTREE_DIRS
> drwxrwxrwx  2 root  wheel    512 21 nov 14:15 info/
> drwxrwxrwx  4 root  wheel    512 21 nov 14:15 share/
> 
> Lovely. I don't exactly know why it happens this way.
> 
> I think this could be a security problem if a random user happens to run
> around /var/tmp while the admin is adding a package.
> 
> Am I wrong?
> 
> A.
> 
>   ------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

-- 
-------------------------------------------------------------
Eric Anderson	 anderson@centtech.com    Centaur Technology
An unbreakable toy is useful for breaking other toys.
-------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BFC025D.36710154>