Re: Linux patches to solve /tmp race problem

From: Donaldson, Matthew (matthewat_private)
Date: Thu Apr 26 2001 - 06:40:37 PDT

Next message: debian-security-announceat_private: "[SECURITY] [DSA 043-2] New versions of Zope fix vulnerabilities"

Previous message: David LeBlanc: "Re: XML scripting in IE, Outlook Express"
In reply to: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Next in thread: Michal Zalewski: "Re: Linux patches to solve /tmp race problem"
Next in thread: Kurt Seifried: "Re: Linux patches to solve /tmp race problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis Kletnieks writes:

>On Thu, 26 Apr 2001 01:14:18 +0930, matthewat_private said:
>Wasn't there a *LONG* thread a while ago about how to properly clean a /tmp
>on a *secure* regular basis? (the problem being that a malicious user could
>drop something into /tmp that ended up causing the /tmp cleaner to clean
>the wrong thing....)

Yes, I remember that.

>
>Remember - there's *two* race conditions - one for creating a file (causing
>the victim to create a file other than where he thought), and one for
>de-referencing a filename (causing the victim to read an existing file other
>than the one he intended).  /tmp cleaners are in the second category....

Yes you are right, this category could claim the title of /tmp race condition
as well.  Having separate /tmp directories might help even here though - see
below.

>
>Of course, there's still people out there getting burnt by a simple
>
>find /tmp -mtime -7 -type f | xargs rm
>
>Lots of joy to be found here - (like this:
>   mkdir /tmp/foo\n; touch /tmp/foo\n/vmunix
>Wait a week,and watch the next reboot fail.  Note that *this* little
>gem will work even with separate per-user /tmp directories - this is
>why GNU find/xargs have a -0 option.

Because /tmp looks different for each user, one thing you could do to
increase safety (and I'm not necessarily recommending this, just putting it
up as an idea) is to run the cleanup code (e.g. tmpwatch) once for each user.

e.g. (naively, ignoring NIS etc.)

for user in `cat /etc/passwd | cut -d: -f1`; do
  su - $user -c cleanup_command
done

Cleanup programs (like tmpwatch) could be replaced by a wrapper that calls the
real cleanup program for each user.  The above find command executed as the
normal user would not cause any problems.  It seems to me that under those
circumstances the worst the user could do would be to make booby traps that
remove his/her own files.

One cost would be that presumably the cleanup would take longer, being run
for each user, but perhaps not so very much longer for a non-enormous number of
users.  After all, the amount of files to be scanned should be roughly the
same.

Cheers

		-Matthew

--
+--------------------------------------------------------------------------+
| Matthew Donaldson             http://www.datadeliverance.com             |
| Data Deliverance Pty. Ltd.    Email: matthewat_private         |
| 30 Musgrave Ave.              Phone: +61 8 8265 7976            _        |
| Banksia Park                  Fax:   +61 8 8265 0032     John  / \/      |
| South Australia 5091                                     3:16  \_/\      |
+--------------------------------------------------------------------------+

Next message: debian-security-announceat_private: "[SECURITY] [DSA 043-2] New versions of Zope fix vulnerabilities"
Previous message: David LeBlanc: "Re: XML scripting in IE, Outlook Express"
In reply to: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Next in thread: Michal Zalewski: "Re: Linux patches to solve /tmp race problem"
Next in thread: Kurt Seifried: "Re: Linux patches to solve /tmp race problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 10:25:04 PDT