[18588] in bugtraq
Re: Immunix OS Security update for lots of temp file problems
daemon@ATHENA.MIT.EDU (=?ISO-8859-2?Q?Tomasz_K=B3oczko?=)
Fri Jan 12 16:27:55 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: 8BIT
Message-ID: <Pine.LNX.4.21.0101110104170.948-100000@rudy.mif.pg.gda.pl>
Date: Thu, 11 Jan 2001 02:28:31 +0100
Reply-To: =?ISO-8859-2?Q?Tomasz_K=B3oczko?= <kloczek@RUDY.MIF.PG.GDA.PL>
From: =?ISO-8859-2?Q?Tomasz_K=B3oczko?= <kloczek@RUDY.MIF.PG.GDA.PL>
X-To: Greg KH <greg@WIREX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010110121117.A4714@wirex.com>
On Wed, 10 Jan 2001, Greg KH wrote:
[..]
> -----------------------------------------------------------------------
> Packages updated: shadow-utils
> Effected products: Immunix OS 7.0-beta
> Bugs Fixed: immunix/1319
> Date: January 10, 2000
> Advisory ID: IMNX-2000-70-027-01
> Author: Greg Kroah-Hartman <greg@wirex.com>
> -----------------------------------------------------------------------
>
> Description:
> In an internal audit conducted while preparing Immunix Linux 7.0 we
> noticed a potential temp file race problem in the useradd program
> within the shadowutils package. The useradd program creates its temp
> files in the protected directory /etc/default, but if this directory
> is changed to world writable, a problem could occur.
Dislaymer: I'm current shadow maintainer.
Sorry but I can't convince with classify this kind bad code as bug. Why ?
Because if You have (for example) /etc/default world writable this is not
a bug in (for example) shadow. Other side - if You make any other normaly
non word writable directory (or file) You can find more this kind "bugs"
all rest analyse in this point can be droped and also You can try prepare
*much many* this kind "fixes" on source level and still You will can't
defense system before simple atacks .. *before fixing permission*.
By above I'm not even try defense this not correctly written fragment in
useradd (which I'm fix in cvs tree few weeks ago). Simple I can't convice
with this kind logick which tries classify this kind cases as bug or even
potential bug simple because in correctly configured system and/or also
even in system out of the box this can't be exploited (.. or I'm wrong
and please fix me and/or show me real exploit code). Existance in system
kind of bug which allow make /etc/default word writable makes system for
attacker all what they want and all other talks about other "potential"
bugs will be only empty logickal excercises.
Yes, fixing this kind fragments must be element of auditing code but sill
this isn't even potential bug because without bug outside this code this
can't be exploited and this is also answer why shadow with fix for this
was not officialy released ASAP.
kloczek
--
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.pl*
