Networker

Re: [Networker] possible symlink attack in shutdown script

2004-01-28 18:10:28
Subject: Re: [Networker] possible symlink attack in shutdown script
From: Darren Dunham <ddunham AT TAOS DOT COM>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Wed, 28 Jan 2004 15:10:28 -0800
> the shutdown (nsr_shutdown) script from networker version 6.0 and higher
> contains the following:
>
> zero_worklist()
> {
> [...]
>         rm -f /tmp/nsrsh$$
>         echo '. type: nsr group' > /tmp/nsrsh$$ # <----------------
>         echo 'update work list:; completion:' >> /tmp/nsrsh$$
>         nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
>         rm -f /tmp/nsrsh$$
> }
> [...]

Okay..

> as we all know the "$$" is no protection against symlink attacks
> a user could creat a symbolic link from /tmp/nsrsh(guessed pid)
> to somewhere in the system and could create or overwrite any file
> on the system because it must be executed with root priv.

True.
> a better handling would be something like:
>
>
> TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$
> echo '. type: nsr group' > $TMPFILE
>         echo 'update work list:; completion:' >> $TMPFILE
>         nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1
>         rm -f $TMPFILE

Actually, I see no particular reason something this trivial needs to use
a tempfile at all.  I'm pretty certain you could do the following on
solaris.  I don't know about other systems...

printf ". type: nsr group\nupdate work list:; completion:\n" |
  nsradmin -i - > /dev/null 2>&1

Further, why is this done in the first place?  I've often had tape
issues that require a restart of the box, which means a shutdown of nsr.
I might want to restart the group after the reboot.  This script
prevents me from doing that unless I jump through hoops of either
editing the script or manually saving then adding the work list and
completion back in.


--
Darren Dunham                                           ddunham AT taos DOT com
Unix System Administrator                    Taos - The SysAdmin Company
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

<Prev in Thread] Current Thread [Next in Thread>