Bash: Security problem during compilation time.

From: Alexandre Stervinou (stervinoat_private-BORDEAUX.FR)
Date: Mon Mar 16 1998 - 22:36:30 PST

Next message: Aleph One: "Re: WinSock 2.2. Woes"

Previous message: trey: "BSD/OS 3.0 config_anonftp script"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Introduction:
        This is another /tmp symlink problem. Bash 2.01.1 & previous
        releases are concerned. Authors have been warned.
        I'd like to apologize if I missed a previous post about this
        bug.

Description:
        File concerned: bash-2.01.1/builtins/psize.sh
        Problem: A temporary file called /tmp/pipesize is created at
each compilation, without checking its existence, file permissions
and/or the owner of this file. This may lead to a data integrity
problem if someone has created before a symlink to another file on the
system. At the end of the compilation, the person who did it could
realize that one of his own file has been erased, if the symlink was
pointed to it.

Repeat-By:
        Let's take a sensitive case: root will compile bash. A user
        called "user" knows this symlink problem and decides to
        provoke the crushing of /etc/passwd.

        user$ln -s /etc/passwd /tmp/pipesize

        One day, root wants to compile bash for his system. In the
        source directory of bash:

        root#./configure
        root#make

        And now, the /etc/passwd file contains the pipe size
        corresponding to the OS.

Fix(?):
        Here is a simple fix, which is not perfect, but reduces the easy
way of doing such a damage to a less obvious race condition issue:

#-----------BEGIN psize.sh------------
#! /bin/sh
#
# psize.sh -- determine this system's pipe size, and write a define to
#             pipesize.h so ulimit.c can use it.
#
# modified by Alexandre Stervinou, April 17th, 1998 -- possible symlink
problem

echo "/*"
echo " * pipesize.h"
echo " *"
echo " * This file is automatically generated by psize.sh"
echo " * Do not edit!"
echo " */"
echo ""

TMPDIR=/tmp
TMPNAME=pipesize.$$

trap 'rm -rf $TMPDIR/$TMPNAME' 1 2 3 6 15

if [ ! -e $TMPDIR/$TMPNAME ]; then

    ./psize.aux 2>$TMPDIR/$TMPNAME | sleep 3

    if [ -s $TMPDIR/$TMPNAME ]; then
        echo "#define PIPESIZE `cat $TMPDIR/$TMPNAME`"
    else
        echo "#define PIPESIZE 512"
    fi

    rm -f $TMPDIR/$TMPNAME

else
    exit 1
fi

exit 0
#-----------END psize.sh------------
--
                 Alexandre Stervinou
       mailto:stervinoat_private-bordeaux.fr

Next message: Aleph One: "Re: WinSock 2.2. Woes"
Previous message: trey: "BSD/OS 3.0 config_anonftp script"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:54 PDT