[Pkg-shadow-devel] Bug#330350: passwd: Potential symlink attack problem in remove-shell?

[Christian Perrier]

Package: passwd
Version: 1:4.0.12-2
Severity: normal

By looking at /usr/sbin/remove-shell, I see this:

==============================================================
file=/etc/shells
# I want this to be GUARANTEED to be on the same filesystem as $file
tmpfile=${file}.tmp
otmpfile=${file}.tmp2

set -o noclobber

trap "rm -f $tmpfile $otmpfile" EXIT
        
if ! cat $file > $tmpfile
then
        cat 1>&2 <<EOF
Either another instance of $0 is running, or it was previously interrupted.
Please examine ${tmpfile} to see if it should be moved onto ${file}.
EOF
        exit 1
fi
==============================================================

I actually think this is HIGHLY vulnerable to a symlink attack because of an
unsafe creation of a temporary file, with a predictable name.

Other shadow maintainers, do you confirm? If so, we have a nice security
bug, people...:-|

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

Versions of packages passwd depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libpam-modules                0.76-23    Pluggable Authentication Modules f
ii  libpam0g                      0.76-23    Pluggable Authentication Modules l
ii  login                         1:4.0.12-2 system login tools

passwd recommends no packages.

-- debconf information:
  passwd/password-mismatch:
* passwd/username: bubulle
  passwd/password-empty:
  passwd/make-user: true
  passwd/shadow: true
  passwd/username-bad:
* passwd/user-fullname: Christian Perrier