Introduction: This is another /tmp symlink problem. Bash 2.01.1 & previous releases are concerned. Authors have been warned. I'd like to apologize if I missed a previous post about this bug. Description: File concerned: bash-2.01.1/builtins/psize.sh Problem: A temporary file called /tmp/pipesize is created at each compilation, without checking its existence, file permissions and/or the owner of this file. This may lead to a data integrity problem if someone has created before a symlink to another file on the system. At the end of the compilation, the person who did it could realize that one of his own file has been erased, if the symlink was pointed to it. Repeat-By: Let's take a sensitive case: root will compile bash. A user called "user" knows this symlink problem and decides to provoke the crushing of /etc/passwd. user$ln -s /etc/passwd /tmp/pipesize One day, root wants to compile bash for his system. In the source directory of bash: root#./configure root#make And now, the /etc/passwd file contains the pipe size corresponding to the OS. Fix(?): Here is a simple fix, which is not perfect, but reduces the easy way of doing such a damage to a less obvious race condition issue: #-----------BEGIN psize.sh------------ #! /bin/sh # # psize.sh -- determine this system's pipe size, and write a define to # pipesize.h so ulimit.c can use it. # # modified by Alexandre Stervinou, April 17th, 1998 -- possible symlink problem echo "/*" echo " * pipesize.h" echo " *" echo " * This file is automatically generated by psize.sh" echo " * Do not edit!" echo " */" echo "" TMPDIR=/tmp TMPNAME=pipesize.$$ trap 'rm -rf $TMPDIR/$TMPNAME' 1 2 3 6 15 if [ ! -e $TMPDIR/$TMPNAME ]; then ./psize.aux 2>$TMPDIR/$TMPNAME | sleep 3 if [ -s $TMPDIR/$TMPNAME ]; then echo "#define PIPESIZE `cat $TMPDIR/$TMPNAME`" else echo "#define PIPESIZE 512" fi rm -f $TMPDIR/$TMPNAME else exit 1 fi exit 0 #-----------END psize.sh------------ -- Alexandre Stervinou mailto:stervinoat_private-bordeaux.fr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:54 PDT