[28209] in Source-Commits
Re: auto-update commit: Move update hook location and clean-up on success
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Tue May 13 19:50:17 2014
To: Jonathan D Reed <jdreed@MIT.EDU>
cc: source-commits@MIT.EDU
In-reply-to: <201405131943.s4DJhcu8025360@drugstore.mit.edu>
Date: Tue, 13 May 2014 19:50:08 -0400
From: Jonathon Weiss <jweiss@MIT.EDU>
Message-id: <20140413t195008p3589damsjw@the-other-woman.mit.edu>
Does this open us to any attacks because /var/tmp is world-writable, and
we're using a predictable filename in it. Two possibilities that come
to mind off the top of my head are symlinking the file to somewhere and
getting a file on disk smashed, and putting a script there and getting
it run as root outside the "serial-reusibility jail". That said, I
haven't looked at the code to see if there are any other things that
might be mitigating such attacks.
Jonathon
Jonathan D Reed <jdreed@MIT.EDU> wrote:
> https://github.com/mit-athena/auto-update/commit/40ffb03f155dfd3db1b5ed31bd92b27486c2bdfb
> commit 40ffb03f155dfd3db1b5ed31bd92b27486c2bdfb
> Author: Jonathan Reed <jdreed@mit.edu>
> Date: Tue May 13 15:32:45 2014 -0400
>
> Move update hook location and clean-up on success
>
> /run is noexec, so we can't actually execute the update hook, so
> we move it to /var/tmp instead (Trac: #1461)
>
> We also clean up the hook upon successful execution
>
> debian/athena-auto-update | 3 ++-
> debian/changelog | 8 ++++++++
> 2 files changed, 10 insertions(+), 1 deletions(-)
>
> diff --git a/debian/athena-auto-update b/debian/athena-auto-update
> index ac9ae69..6f2e35e 100644
> --- a/debian/athena-auto-update
> +++ b/debian/athena-auto-update
> @@ -185,7 +185,7 @@ fi
> UPDATE_HOOK_URL="https://athena10.mit.edu/update-hook/debathena-update-hook.sh"
> UPDATE_HOOK_SUM="https://athena10.mit.edu/update-hook/debathena-update-hook-sha256sum"
> MITCA="/usr/share/debathena-auto-update/mitCA.crt"
> -UPDATE_HOOK="/var/run/debathena-update-hook.sh"
> +UPDATE_HOOK="/var/tmp/debathena-update-hook.sh"
>
> rm -f $UPDATE_HOOK
> if [ "$RUN_UPDATE_HOOK" = "yes" ] && \
> @@ -208,6 +208,7 @@ if [ "$RUN_UPDATE_HOOK" = "yes" ] && \
> exit
> else
> touch "/var/lib/athena-update-hooks/$SHA256SUM"
> + rm -f $UPDATE_HOOK
> fi
> fi
> fi
> diff --git a/debian/changelog b/debian/changelog
> index 3fd45ac..59bbbd4 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +debathena-auto-update (1.45) unstable; urgency=low
> +
> + * Do not attempt to run update hooks out of /var/run, since it's mounted
> + noexec; use /var/tmp instead (Trac: #1461)
> + * Delete the script upon successful execution
> +
> + -- Jonathan Reed <jdreed@mit.edu> Tue, 13 May 2014 15:32:36 -0400
> +
> debathena-auto-update (1.44) unstable; urgency=low
>
> * Add git-buildpackage configuration
