[Pkg-shadow-devel] Bug#330350: passwd: Potential symlink attack
problem in remove-shell?
Nicolas François
nicolas.francois at centraliens.net
Tue Sep 27 22:17:56 UTC 2005
Hello,
On Tue, Sep 27, 2005 at 07:07:56PM +0200, bubulle at debian.org wrote:
> Package: passwd
> Version: 1:4.0.12-2
> Severity: normal
>
> By looking at /usr/sbin/remove-shell, I see this:
>
> ==============================================================
> file=/etc/shells
> # I want this to be GUARANTEED to be on the same filesystem as $file
> tmpfile=${file}.tmp
> otmpfile=${file}.tmp2
>
> set -o noclobber
>
> trap "rm -f $tmpfile $otmpfile" EXIT
>
> if ! cat $file > $tmpfile
> then
> cat 1>&2 <<EOF
> Either another instance of $0 is running, or it was previously interrupted.
> Please examine ${tmpfile} to see if it should be moved onto ${file}.
> EOF
> exit 1
> fi
> ==============================================================
>
> I actually think this is HIGHLY vulnerable to a symlink attack because of an
> unsafe creation of a temporary file, with a predictable name.
>
> Other shadow maintainers, do you confirm? If so, we have a nice security
> bug, people...:-|
This doesn't look that bad to me.
Here, the temporary file is in /etc/. If somebody can create a symlink in
/etc/, she can probably also change /etc/shadow.
--
Nekral
More information about the Pkg-shadow-devel
mailing list