Bash tools are insecure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Toolkit moved to https://jira.percona.com/projects/PT |
Fix Released
|
High
|
Brian Fraser |
Bug Description
i'm, sorry, these programs are not production safe:
pt-diskstats pt-sift pt-summary pt-mysql-summary pt-collect pt-mext
if good old maatkit programs mentioned risks in their manual pages, then these programs do not even mention such risk giving false sense of security to the end user.
they are using hardcoded filenames in world writable dir (/tmp) and thus are open to symlink attacks
pt-summary even considers the risk and does nothing to prevent the symlink attack:
--- CUT ---
# The temp files are for storing working results so we don't call commands many
# times (gives inconsistent results, maybe adds load on things I don't want to
# such as RAID controllers). They must not exist -- if they did, someone would
# symlink them to /etc/passwd and then run this program as root. Call this
# function with "rm" or "touch" as an argument.
temp_files() {
for file in /tmp/percona-
case "$1" in
touch)
if ! touch "${file}"; then
echo "I can't make my temp file ${file}";
exit 1;
fi
;;
rm)
rm -f "${file}"
;;
esac
done
}
--- CUT ---
if program needs state files with fixed filenames to work, it should then create temporary dir first and place the files there
or using some other ways to use private dir, i.e let user choose the work dir via some commandline option
Related branches
- Daniel Nichter: Approve
-
Diff: 1194 lines (+349/-173)6 files modifiedbin/pt-mext (+44/-1)
bin/pt-mysql-summary (+122/-76)
bin/pt-sift (+56/-11)
bin/pt-summary (+120/-78)
t/pt-mysql-summary/get_mysql_info.sh (+3/-3)
util/test-bash-functions (+4/-4)
visibility: | private → public |
tags: | added: risk |
no longer affects: | percona-toolkit/2.0 |
Changed in percona-toolkit: | |
status: | Confirmed → Fix Committed |
Changed in percona-toolkit: | |
status: | Fix Committed → Fix Released |
Elan, You'll be happy to know that work is already underway to fix these issues. When theses Aspera tools were forked into Percona Toolkit, we had already intended to make them secure and open about their risks like the Maatkit tools. I began work to that end a month or so ago, but another project came up which demanded all my time. I'll return soon to these tools and when I'm finished, they won't have these concerns.