[7290] in bugtraq
Re: Linux and world-writable /tmp - UPDATE (fwd)
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Jul 16 16:54:54 1998
Date: Mon, 13 Jul 1998 00:51:25 +0200
Reply-To: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
X-To: Olaf Kirch <okir@monad.swb.de>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <m0ywkaC-000AyFC@monad.swb.de>
On Thu, 16 Jul 1998, Olaf Kirch wrote:
> There are some things I do not understand about this patch.
>
> 1. The code does not redirect /tmp access of processes running
> with a real, effective, or fs uid of root.
>
> So it doesn't buy you anything when it comes to /tmp attacks
> on setuid root programs.
No. You have to make /tmp chmod 755, only root-writable, so there's no
risk. Please read README carefully ;-)
> 2. The code does not keep normal users from messing around in
> the real /tmp directory. Use ///tmp, or chdir("/") and
> use "tmp", or unset both HOME and TMPDIR, or symlink your
> $HOME/tmp to /tmp, etc.
Yes. It redirects only typical requests. It won't protect /tmp itself, as
I wrote - you have to do 'chmod 755 /tmp'. Without this patch, your
programs won't work after above chmod. With patch, they will. It has been
mentioned in README, again.
> 3. Some setuid programs do open temporary files in /tmp for
> a reason; they do not expect them to be created in /etc.
> They also do not expect that the user invoking the program
> can flip to a different directory underneath of it. An
> interesting attack (having redtmp loaded) would go like
> this:
Setuid programs are NOT redirected to $HOME/tmp. If you want to force
setgid redirection too, simply modify code, but I can't see serious reason
to do it (any real-life examples, not 'hypotetical' examples - I can talk
about 'hypotetical' setuid program executing rm -rf / if only it detects
redtmp installed, but... ;-).
_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
