[28215] in Source-Commits
Re: auto-update commit: Move update hook location and clean-up on
daemon@ATHENA.MIT.EDU (Anders Kaseorg)
Wed May 14 18:38:04 2014
Date: Wed, 14 May 2014 18:37:54 -0400 (EDT)
From: Anders Kaseorg <andersk@MIT.EDU>
To: Jonathan D Reed <jdreed@MIT.EDU>
cc: Jonathon Weiss <jweiss@MIT.EDU>,
"source-commits@mit.edu" <source-commits@MIT.EDU>
In-Reply-To: <D5CEE8FC-AB2F-4362-B49D-5FD25917A424@mit.edu>
Message-ID: <alpine.DEB.2.02.1405141821440.44324@all-night-tool.MIT.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: 8bit
On Wed, 14 May 2014, Jonathan D Reed wrote:
> In the event that someone is logged in, and manages to swap out the
> script in the one line between when the sha256sum is verified and when
> it is executed, that would obviously be a problem. But if they can do
> that, there are far easier attack vectors, like replacing auto-update
> itself, or just sketching directly on the disk.
That argument doesn’t apply to debathena-workstation with
RUN_UPDATE_HOOK=yes, where mortals can’t become root. Maybe it happens
that nobody configures -workstation that way, but I still wouldn’t think
this a good excuse for including a textbook case of insecure tmp handling
anywhere in our code.
We could just work around the noexec problem by passing the file straight
to sh:
diff --git a/debian/athena-auto-update b/debian/athena-auto-update
index 6f2e35e..1d32604 100644
--- a/debian/athena-auto-update
+++ b/debian/athena-auto-update
@@ -185,12 +185,11 @@ fi
UPDATE_HOOK_URL="https://athena10.mit.edu/update-hook/debathena-update-hook.sh"
UPDATE_HOOK_SUM="https://athena10.mit.edu/update-hook/debathena-update-hook-sha256sum"
MITCA="/usr/share/debathena-auto-update/mitCA.crt"
-UPDATE_HOOK="/var/tmp/debathena-update-hook.sh"
+UPDATE_HOOK="/var/run/debathena-update-hook.sh"
rm -f $UPDATE_HOOK
if [ "$RUN_UPDATE_HOOK" = "yes" ] && \
curl -sf -o $UPDATE_HOOK --cacert $MITCA $UPDATE_HOOK_URL; then
- chmod 500 $UPDATE_HOOK
SHA256SUM="$(curl -sf --cacert $MITCA $UPDATE_HOOK_SUM)"
rv=$?
if [ $rv != 0 ]; then
@@ -203,7 +202,7 @@ if [ "$RUN_UPDATE_HOOK" = "yes" ] && \
exit
fi
if ! [ -f "/var/lib/athena-update-hooks/$SHA256SUM" ]; then
- if ! v $UPDATE_HOOK; then
+ if ! v sh $UPDATE_HOOK; then
complain "update hook returned non-zero status"
exit
else
Anders
