Networker

[Networker] possible symlink attack in shutdown script

2004-01-28 17:18:18
Subject: [Networker] possible symlink attack in shutdown script
From: Osvaldo Lehmann <osvaldo.lehmann AT AQB DOT CL>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Wed, 28 Jan 2004 17:18:09 -0500
I have received the following notice:

the shutdown (nsr_shutdown) script from networker version 6.0 and higher
contains the following:

zero_worklist()
{
[...]
        rm -f /tmp/nsrsh$$
        echo '. type: nsr group' > /tmp/nsrsh$$ # <----------------
        echo 'update work list:; completion:' >> /tmp/nsrsh$$
        nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
        rm -f /tmp/nsrsh$$
}
[...]


as we all know the "$$" is no protection against symlink attacks
a user could creat a symbolic link from /tmp/nsrsh(guessed pid)
to somewhere in the system and could create or overwrite any file
on the system because it must be executed with root priv.


a better handling would be something like:


TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$
echo '. type: nsr group' > $TMPFILE
        echo 'update work list:; completion:' >> $TMPFILE
        nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1
        rm -f $TMPFILE


or "mktemp /tmp/phun.XXXXXX"

Any tips or suggestions, will be appreciated

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

<Prev in Thread] Current Thread [Next in Thread>