Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 7 Jun 2003 07:58:12 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com,
	stanislav shalunov <shalunov@...ernet2.edu>
Subject: Re: stmpclean problem

On Fri, Jun 06, 2003 at 01:31:40AM -0400, stanislav shalunov wrote:
> I will make modifications that should prevent such harmless usage
> mistake from becoming a disaster again.  There doesn't appear to be
> any significant drawback to not allowing relative pathnames, so I'll
> check for `/' as the first character of the directory name as given on
> the command line.

Currently, the chdir("/") is also done to ensure logging uses absolute
pathnames.  This means that you will need to do realpath(3) or an
equivalent on any relative pathnames for logging, right?

> I'm also considering checking permissions and
> making sure it's 1777 and refusing to run otherwise to minimize the
> chances of people using the utility in unintended ways.

This may be a good idea, but it will break valid uses, including even
the default use on Owl:

david!root:~# cat /etc/cron.daily/stmpclean 
#!/bin/sh
# $Id: stmpclean.cron,v 1.1 2002/03/30 01:13:18 solar Exp $

/usr/sbin/stmpclean -t 10d /tmp /var/tmp

if [ -d /var/catman ]; then
        /usr/sbin/stmpclean -t 10d /var/catman/{,X11R6/,local/}cat[123456789n]
fi

david!root:~# ls -ld /var/catman/{,X11R6/,local/}cat[123456789n] | head
drwxrwxr-x    2 root     man          4096 Jun  6 05:28 /var/catman/cat1
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat2
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat3
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat4
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat5
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat6
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat7
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat8
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/cat9
drwxrwxr-x    2 root     man          4096 May 16 04:43 /var/catman/catn

This really needs to be stmpclean (or another race-safe program)
because the /var/catman tree is writable by group "man".  It shouldn't
be possible to mount additional attacks having obtained that level of
access.

> (In a non-publicly-writable directory, `find | xargs rm' is safe.)

Not necessarily.  A directory tree may contain directories writable by
non-root users or by groups.  Alternatively, it may not contain
writable directories, but its contents may still be untrusted and the
above "find" command will produce unintended behavior on certain
special characters in filenames (it may be solved with "find -print0",
"xargs -0", and "rm --").

Our version of find has the "-delete" option, which allows for its
safe use in cases like these.  But stmpclean may be better suited for
cleaning directories from old files.

> Opinions about the permissions check?

Maybe make it the default, but allow for a way to bypass it or
explicitly specify alternate permissions (and owner/group?) to check
for.  But is it worth the hassle?

-- 
Alexander Peslyak <solar@...nwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.