Networker

Re: [Networker] possible symlink attack in shutdown script

2004-01-28 18:20:30
Subject: Re: [Networker] possible symlink attack in shutdown script
From: Tim Mooney <mooney AT DOGBERT.CC.NDSU.NODAK DOT EDU>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Wed, 28 Jan 2004 17:10:33 -0600
In regard to: [Networker] possible symlink attack in shutdown script,...:

>I have received the following notice:
>
>the shutdown (nsr_shutdown) script from networker version 6.0 and higher
>contains the following:

This was reported on BugTraq last week.  Yes, it's a problem.  If you
have NetWorker support, you should call and log a problem with Legato.
Be sure to mention it's a security problem, and it affects every UNIX
client.

Of the security problems I know of with NetWorker, I consider this one
the least worrisome.  You can actually fix it yourself, if you want.
Since NetWorker requires a /nsr directory (or symlink), nsr_shutdown could
easily just create its tempfiles under there.  Or, the script could be
modified to use a here document, and not use any tempfiles at all.

Either one of these modifications, you can affect.

>zero_worklist()
>{
>[...]
>        rm -f /tmp/nsrsh$$
>        echo '. type: nsr group' > /tmp/nsrsh$$ # <----------------
>        echo 'update work list:; completion:' >> /tmp/nsrsh$$
>        nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
>        rm -f /tmp/nsrsh$$
>}
>[...]

What happens if you replace that code with

nsradmin ${RESFILE} -i - <<_NSR_HERE_DOC
. type: nsr group
update work list:; completion:
_NSR_HERE_DOC



Tim
--
Tim Mooney                              mooney AT dogbert.cc.ndsu.NoDak DOT edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

<Prev in Thread] Current Thread [Next in Thread>