[8527] in bugtraq
Re: Xinetd /tmp race?
daemon@ATHENA.MIT.EDU (Marc Heuse)
Fri Nov 13 12:17:16 1998
Date: Fri, 13 Nov 1998 09:09:06 +0100
Reply-To: Marc Heuse <marc@SUSE.DE>
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@NETSPACE.ORG
Hi,
> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file. The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
hmm you did inform the xinetd maintainer in the first place, right?
an update for Suse Linux distributions is available at ftp.suse.com.
> BTW here's the patch:
your patch leaves xinted still vulnerable.
Here's the one we issued (which was also sent to the maintainer).
It's hard to secure a create-or-append open call, anyone with an
idea for a standard solution?
[This patch leave xinetd vulnerable if /tmp is not sticky, so it's
not 100% without changing the design or location of how the dump
should be done. But a system without a sticky /tmp is a problem anyway]
--- internals.c.orig Wed Jan 24 20:32:46 1996
+++ internals.c Thu Nov 12 11:18:39 1998
@@ -8,6 +8,7 @@
#include <sys/types.h>
#include <sys/stat.h>
+#include <unistd.h>
#ifdef linux
#include <sys/time.h>
#endif
@@ -54,9 +55,24 @@
time_t current_time ;
register int fd ;
register unsigned u ;
+ struct stat stat ;
char *func = "dump_internal_state" ;
- dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ;
+ dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ;
+ if ( dump_fd == -1 )
+ {
+ if ( lstat( dump_file, &stat) != 0)
+ {
+ msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
+ return ;
+ }
+ if (stat.st_uid != getuid())
+ {
+ msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ;
+ return ;
+ }
+ dump_fd = open( dump_file, O_WRONLY + O_APPEND) ;
+ }
if ( dump_fd == -1 )
{
msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
Greets,
Marc
--
Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
issue a "finger marc@suse.de | pgp -fka" for my public pgp key
