[Pkg-shadow-devel] Bug#330350: marked as done (passwd: Potential symlink attack problem in remove-shell?)

Debian Bug Tracking System owner at bugs.debian.org
Wed Sep 28 17:48:12 UTC 2005 

Your message dated Wed, 28 Sep 2005 19:08:28 +0200
with message-id <20050928170828.GF26213 at djedefre.onera>
and subject line Bug#330350: [Pkg-shadow-devel] Bug#330350: passwd: Potential symlink attack problem in remove-shell?
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Sep 2005 17:20:21 +0000
>From bubulle at debian.org Tue Sep 27 10:20:19 2005
Return-path: <bubulle at debian.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EKJ7q-0003cU-00; Tue, 27 Sep 2005 10:20:19 -0700
Received: from localhost (localhost [127.0.0.1])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 2AF7C4F97E;
	Tue, 27 Sep 2005 19:19:21 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
	by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 26639-05; Tue, 27 Sep 2005 19:19:19 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 0906C4F983;
	Tue, 27 Sep 2005 19:19:13 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 1000)
	id 166AE40A0A3; Tue, 27 Sep 2005 19:07:56 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Christian Perrier <bubulle at debian.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: passwd: Potential symlink attack problem in remove-shell?
X-Mailer: reportbug 3.17
Date: Tue, 27 Sep 2005 19:07:56 +0200
Message-Id: <20050927170756.166AE40A0A3 at mykerinos.kheops.frmug.org>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: passwd
Version: 1:4.0.12-2
Severity: normal

By looking at /usr/sbin/remove-shell, I see this:

==============================================================
file=/etc/shells
# I want this to be GUARANTEED to be on the same filesystem as $file
tmpfile=${file}.tmp
otmpfile=${file}.tmp2

set -o noclobber

trap "rm -f $tmpfile $otmpfile" EXIT
        
if ! cat $file > $tmpfile
then
        cat 1>&2 <<EOF
Either another instance of $0 is running, or it was previously interrupted.
Please examine ${tmpfile} to see if it should be moved onto ${file}.
EOF
        exit 1
fi
==============================================================

I actually think this is HIGHLY vulnerable to a symlink attack because of an
unsafe creation of a temporary file, with a predictable name.

Other shadow maintainers, do you confirm? If so, we have a nice security
bug, people...:-|

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

Versions of packages passwd depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libpam-modules                0.76-23    Pluggable Authentication Modules f
ii  libpam0g                      0.76-23    Pluggable Authentication Modules l
ii  login                         1:4.0.12-2 system login tools

passwd recommends no packages.

-- debconf information:
  passwd/password-mismatch:
* passwd/username: bubulle
  passwd/password-empty:
  passwd/make-user: true
  passwd/shadow: true
  passwd/username-bad:
* passwd/user-fullname: Christian Perrier

---------------------------------------
Received: (at 330350-done) by bugs.debian.org; 28 Sep 2005 17:34:33 +0000
>From bubulle at kheops.frmug.org Wed Sep 28 10:34:33 2005
Return-path: <bubulle at kheops.frmug.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EKfpB-0006fM-00; Wed, 28 Sep 2005 10:34:33 -0700
Received: from localhost (localhost [127.0.0.1])
	by kheops.perrier.eu.org (Postfix) with ESMTP id DD85B4F97F;
	Wed, 28 Sep 2005 19:33:56 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
	by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 07083-08; Wed, 28 Sep 2005 19:33:55 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
	by kheops.perrier.eu.org (Postfix) with ESMTP id B078E4F899;
	Wed, 28 Sep 2005 19:33:55 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 1000)
	id DDD3D40A26A; Wed, 28 Sep 2005 19:08:28 +0200 (CEST)
Date: Wed, 28 Sep 2005 19:08:28 +0200
From: Christian Perrier <bubulle at debian.org>
To: Alexander Gattin <xrgtn at yandex.ru>, 330350-done at bugs.debian.org
Subject: Re: Bug#330350: [Pkg-shadow-devel] Bug#330350: passwd: Potential symlink attack problem in remove-shell?
Message-ID: <20050928170828.GF26213 at djedefre.onera>
References: <20050927170756.166AE40A0A3 at mykerinos.kheops.frmug.org> <20050927221756.GA1383 at nekral.homelinux.net> <20050928044750.GS25499 at djedefre.onera> <20050928153314.GB13830 at cherokee.kiev.ua>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050928153314.GB13830 at cherokee.kiev.ua>
User-Agent: Mutt/1.5.11
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Delivered-To: 330350-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-3.9 required=4.0 tests=BAYES_00,BLANK_LINES_70_80,
	HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02

Closing after wise advices...

More information about the Pkg-shadow-devel mailing list