[Radiance-dev] Security issue - Insecure use of files in /tmp

Wed Aug 13 17:57:08 PDT 2008

I don't understand the reasoning, here.  Unless you're running Security-Enhanced Linux, if an "evil person" has an account on your system, system security is toast anyway--as the implementation of mktemp(3) (among many other features) shows, Unix was never designed to be secure against a determined attack by a malicious user.

Randolph

On Wed, 13 Aug 2008, Bernd Zeimetz wrote:

> Hi Greg,
> 
>> How do you create a file with an "unpredictable" name?  Why is this even
>> an issue unless a script or program has the suid bit enabled?  Radiance
>> programs should never have permission to do anything a user couldn't,
>> unless they're being run by root.
> 
> Files with an unpredictable and unique name are generated by using
> random letters and numbers within the filename *and* - preferable in an
> atomic way - create the file and open it for reading/writing.
> This is also the reason why gcc warns about the use of mktemp(3). It
> requires a filename ending with an extension of XXXXXX (six x's). When
> the temporary file is generated, the name of the file is generated by
> taking the predetermined name in the program, and filling the field of
> X's with a random value. However, some operating systems fill the first
> five X's in the field with the process number, and the last X with one
> of twenty-six lower case letters in the alphabet. Even worse, mktemp(3)
> does not create and open the file, so if you call mktemp(3) twice, you
> could end up with the same predictable filename.
> 
> But why is this bad?
> If I'm an evil person and know, that a program creates a file in /tmp in
> an insecure (== predictable) way, I can
> - create the file on my own, so - depending on the program of course -
> I'm able to feed the program with my data or let it execute stuff with
> the rights of the user who runs the program.
> - use a symlink attack and create a symlink which points to some other
> file - for example to destroy files of the user running the program.
> Imagine you're rendering something for hours, and while rendering the
> last piece of the image I trick one of the programs/scripts into writing
> it's temporary junk into the result of hours of rendering - your work is
> lost.
> So this is not really related to being root or not, but it's a good way
> to gain more priviledges on a system on the way to become root ;)
> 
> Although the impact of this kind of vulnerability is low, it is still
> bad enough to get a CVE id for it and end up with fixes by security
> uploads and the according announcements in the distributions....
> 
> For shell scripts the best thing to use is the mktemp(1) utility (if
> it's available, which is the case for most platforms these days, afaik),
> otherwise a file name with at least enough random letters/numbers needs
> to be used.
> 
> 
>> There are quite a few scripts that create temporary files this way in
>> Radiance:
>> 
>> % grep -l '/tmp' */*.csh
>> cv/optics2rad.csh
>> gen/genbackg.csh
>> gen/genpine.csh
>> gen/genwindow.csh
>> gen/markpath.csh
>> px/falsecolor.csh
>> px/normpat.csh
>> px/pacuity.csh
>> px/pbilat.csh
>> px/pdelta.csh
>> px/phisteq.csh
>> px/phisto.csh
>> px/psquish.csh
>> px/pveil.csh
>> px/ran2tiff.csh
>> px/vlpic.csh
>> px/xyzimage.csh
>> util/compamb.csh
>> util/dayfact.csh
>> util/objline.csh
>> util/objpict.csh
>> util/objview.csh
>> util/raddepend.csh
> 
> ouch...
> 
> I'll see what's the best way to fix this in Debian - which needs to be
> done before Lenny is released (==soon).
> 
> Cheers,
> 
> Bernd
> 
> --
> Bernd Zeimetz                           Debian GNU/Linux Developer
> GPG Fingerprint: 06C8 C9A2 EAAD E37E 5B2C BE93 067A AD04 C93B FF79
> 
> 
> _______________________________________________
> Radiance-dev mailing list
> Radiance-dev at radiance-online.org
> http://www.radiance-online.org/mailman/listinfo/radiance-dev
> 