bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] tests/syslogd.sh and /tmp


From: Mats Erik Andersson
Subject: Re: [bug-inetutils] tests/syslogd.sh and /tmp
Date: Thu, 19 Jan 2012 10:23:37 +0100
User-agent: Mutt/1.5.18 (2008-05-17)

Collecting all deficiencies.

torsdag den 19 januari 2012 klockan 09:01 skrev Simon Josefsson detta:
> address@hidden (Ludovic Courtès) writes:
> 
> > Hello,
> >
> > tests/syslogd.sh requires a writable /tmp.
> 
> Looking further at that test, it seems buggy from another point of view
> as well: the filenames are prone to a race condition when two or more
> InetUtils instances is built at the same time.  The filenames used are:
> 
> # This good name base consumes twentythree chracters.
> IU_GOOD_BASE=/tmp/$(date +%y-%m-%d)_socket_iu
> # Add a single character to violate the size condition.
> IU_BAD_BASE=/tmp/X$(date +%y-%m-%d)_socket_iu
> 
> Further, having predictable filenames has often been used by non-root
> users to mount a privilege-escalation attack (just wait until the root
> user runs the script), but I haven't reviewed the script if it has this
> problem as well.
> 
> Normal practice is to use 'mktemp'.
> 
> > The workaround I???ve used in Guile is to cd $TMPDIR, create ./my-socket,
> > and use that.
> 
> I would prefer a mktemp+cd approach.  It is the most secure, follows
> best practices, and is the most portable.

1. Replace $(( )) by `expr `.

2. logger(1) needs a rooted path "/this/starts/at/the/bottom".
   This rules out the "cd"-technique as viable work around.

3. The first illegal length is 109 or 105, depending on system.

4. Very long $TMPDIR must still be short enough to insert some
   random text in a template. Otherwise the subtest must be skipped.

Happy hacking,
  Mats E A



reply via email to

[Prev in Thread] Current Thread [Next in Thread]