predictable /tmp names
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| flash-kernel (Ubuntu) |
Triaged
|
Undecided
|
Unassigned | ||
Bug Description
flash-kernel uses predictable symlinks in /tmp when preparing kernels for install. It does use "$(tempfile)" to generate names but, after using the name, it will reuse it w/ different suffixes appended ($tmp.uboot, $tmp.boot.script, etc) - allowing local users to notice the tmp name and generate symlinks to user-owned files.
It looks like the symlink protection kernel patches went into maverick, so this is probably just a DoS there (local users can make flash-kernel fail by creating the symlinks), but for lucid it looks like a priv escalation, allowing a local user to manipulate the boot files that get installed. I don't know how many multi-user arm systems are out there running lucid - I'm guessing not a lot.
The version of flash-kernel in squeeze/sid doesn't appear to have these issues.
| dann frazier (dannf) wrote | #1 |
| visibility: | private → public |
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in flash-kernel (Ubuntu): | |
| status: | New → Confirmed |
| status: | Confirmed → Triaged |
Thanks for using Ubuntu and reporting a bug. I'm not sure the proposed patch fully addresses the problem because it may still be racy. I think the best solution is to use 'mktemp -d' and then operate on files within this directory. This is easy to verify because the directory will be created with safe permissions and guarantee race conditions can't be exploited.