[20463] in bugtraq
Re: Linux patches to solve /tmp race problem
daemon@ATHENA.MIT.EDU (Donaldson, Matthew)
Thu Apr 26 13:04:00 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15080.9557.644885.172449@localhost.localdomain>
Date: Thu, 26 Apr 2001 23:10:37 +0930
Reply-To: matthew@DATADELIVERANCE.COM
From: "Donaldson, Matthew" <matthew@DATADELIVERANCE.COM>
X-To: Valdis.Kletnieks@VT.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104251558.f3PFwnN10445@foo-bar-baz.cc.vt.edu>
Valdis Kletnieks writes:
>On Thu, 26 Apr 2001 01:14:18 +0930, matthew@datadeliverance.com said:
>Wasn't there a *LONG* thread a while ago about how to properly clean a /tmp
>on a *secure* regular basis? (the problem being that a malicious user could
>drop something into /tmp that ended up causing the /tmp cleaner to clean
>the wrong thing....)
Yes, I remember that.
>
>Remember - there's *two* race conditions - one for creating a file (causing
>the victim to create a file other than where he thought), and one for
>de-referencing a filename (causing the victim to read an existing file other
>than the one he intended). /tmp cleaners are in the second category....
Yes you are right, this category could claim the title of /tmp race condition
as well. Having separate /tmp directories might help even here though - see
below.
>
>Of course, there's still people out there getting burnt by a simple
>
>find /tmp -mtime -7 -type f | xargs rm
>
>Lots of joy to be found here - (like this:
> mkdir /tmp/foo\n; touch /tmp/foo\n/vmunix
>Wait a week,and watch the next reboot fail. Note that *this* little
>gem will work even with separate per-user /tmp directories - this is
>why GNU find/xargs have a -0 option.
Because /tmp looks different for each user, one thing you could do to
increase safety (and I'm not necessarily recommending this, just putting it
up as an idea) is to run the cleanup code (e.g. tmpwatch) once for each user.
e.g. (naively, ignoring NIS etc.)
for user in `cat /etc/passwd | cut -d: -f1`; do
su - $user -c cleanup_command
done
Cleanup programs (like tmpwatch) could be replaced by a wrapper that calls the
real cleanup program for each user. The above find command executed as the
normal user would not cause any problems. It seems to me that under those
circumstances the worst the user could do would be to make booby traps that
remove his/her own files.
One cost would be that presumably the cleanup would take longer, being run
for each user, but perhaps not so very much longer for a non-enormous number of
users. After all, the amount of files to be scanned should be roughly the
same.
Cheers
-Matthew
--
+--------------------------------------------------------------------------+
| Matthew Donaldson http://www.datadeliverance.com |
| Data Deliverance Pty. Ltd. Email: matthew@datadeliverance.com |
| 30 Musgrave Ave. Phone: +61 8 8265 7976 _ |
| Banksia Park Fax: +61 8 8265 0032 John / \/ |
| South Australia 5091 3:16 \_/\ |
+--------------------------------------------------------------------------+
