predictable /tmp names
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flash-kernel (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
flash-kernel uses predictable symlinks in /tmp when preparing kernels for install. It does use "$(tempfile)" to generate names but, after using the name, it will reuse it w/ different suffixes appended ($tmp.uboot, $tmp.boot.script, etc) - allowing local users to notice the tmp name and generate symlinks to user-owned files.
It looks like the symlink protection kernel patches went into maverick, so this is probably just a DoS there (local users can make flash-kernel fail by creating the symlinks), but for lucid it looks like a priv escalation, allowing a local user to manipulate the boot files that get installed. I don't know how many multi-user arm systems are out there running lucid - I'm guessing not a lot.
The version of flash-kernel in squeeze/sid doesn't appear to have these issues.
visibility: | private → public |
Thanks for using Ubuntu and reporting a bug. I'm not sure the proposed patch fully addresses the problem because it may still be racy. I think the best solution is to use 'mktemp -d' and then operate on files within this directory. This is easy to verify because the directory will be created with safe permissions and guarantee race conditions can't be exploited.