The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Хинт: Доступна новая система навигации "Дерево ключевых слов" - поиск нужного материала во всех разделах сайта на одной странице.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Bash: Security problem during compilation time.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Wed, 18 Mar 1998 12:40:02 +0500 (ESK)
Date: Tue, 17 Mar 1998 07:36:30 +0100
From: Alexandre Stervinou <stervino@info.enserb.u-bordeaux.fr>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bash: Security problem during compilation time.

Introduction:
        This is another /tmp symlink problem. Bash 2.01.1 & previous
        releases are concerned. Authors have been warned.
        I'd like to apologize if I missed a previous post about this
        bug.

Description:
        File concerned: bash-2.01.1/builtins/psize.sh
        Problem: A temporary file called /tmp/pipesize is created at
each compilation, without checking its existence, file permissions
and/or the owner of this file. This may lead to a data integrity
problem if someone has created before a symlink to another file on the
system. At the end of the compilation, the person who did it could
realize that one of his own file has been erased, if the symlink was
pointed to it.

Repeat-By:
        Let's take a sensitive case: root will compile bash. A user
        called "user" knows this symlink problem and decides to
        provoke the crushing of /etc/passwd.

        user$ln -s /etc/passwd /tmp/pipesize

        One day, root wants to compile bash for his system. In the
        source directory of bash:

        root#./configure
        root#make

        And now, the /etc/passwd file contains the pipe size
        corresponding to the OS.

Fix(?):
        Here is a simple fix, which is not perfect, but reduces the easy
way of doing such a damage to a less obvious race condition issue:

#-----------BEGIN psize.sh------------
#! /bin/sh
#
# psize.sh -- determine this system's pipe size, and write a define to
#             pipesize.h so ulimit.c can use it.
#
# modified by Alexandre Stervinou, April 17th, 1998 -- possible symlink
problem

echo "/*"
echo " * pipesize.h"
echo " *"
echo " * This file is automatically generated by psize.sh"
echo " * Do not edit!"
echo " */"
echo ""

TMPDIR=/tmp
TMPNAME=pipesize.$$

trap 'rm -rf $TMPDIR/$TMPNAME' 1 2 3 6 15

if [ ! -e $TMPDIR/$TMPNAME ]; then

    ./psize.aux 2>$TMPDIR/$TMPNAME | sleep 3

    if [ -s $TMPDIR/$TMPNAME ]; then
        echo "#define PIPESIZE `cat $TMPDIR/$TMPNAME`"
    else
        echo "#define PIPESIZE 512"
    fi

    rm -f $TMPDIR/$TMPNAME

else
    exit 1
fi

exit 0
#-----------END psize.sh------------
--
                 Alexandre Stervinou
       mailto:stervino@info.enserb.u-bordeaux.fr

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList