initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sysvinit (Debian) |
Fix Released
|
Unknown
|
|||
sysvinit (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #264234 http://
In Debian Bug tracker #264234, Miquel van Smoorenburg (miquels-cistron) wrote : Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability | #1 |
In Debian Bug tracker #264234, Zygo Blaxell (zblaxell) wrote : | #2 |
On Sun, Aug 08, 2004 at 01:10:39PM +0200, Miquel van Smoorenburg wrote:
> Well, it would indeed be a good idea to remove /tmp/.clean early in
> the boot process to prevent this.
Actually in this particular case it will be sufficient to remove .clean
immediately before touching it:
rm -rf /tmp/.clean
:>> /tmp/.clean
The assumption that makes this safe is that evil user processes (e.g.
cron jobs, user logins, email delivers, etc) have not had a chance to
start running yet, so they can't reinsert the symlink between those
two lines.
> However on a standard system this
> cannot happen.
>
> At shutdown time, /etc/init.
> named, I admit) removes /tmp/.clean, so that should be sufficient.
Assuming the machine goes down cleanly, of course. Most of my system
reboots these days are due to power failures or poor resource planning
("Hmmm, I guess I can't run 50 instances of spamassassin on that machine
after all, it runs out of RAM and the watchdog kills it").
In Debian Bug tracker #264234, Thomas Hood (jdthood-aglu) wrote : Fix for sarge? | #3 |
This poses a security risk and there is a straightforward fix.
Fix for sarge?
--
Thomas
In Debian Bug tracker #264234, Thomas Hood (jdthood-yahoo) wrote : retitle 264234 to initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack, tagging 264234 | #4 |
# Automatically generated email from bts, devscripts version 2.8.1
retitle 264234 initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack
tags 264234 security
In Debian Bug tracker #264234, Miquel van Smoorenburg (miquels) wrote : Re: Bug#264234: Fix for sarge? | #5 |
On Tue, 17 Aug 2004 21:34:52, Thomas Hood wrote:
> This poses a security risk and there is a straightforward fix.
> Fix for sarge?
Probably should upload to proposed-updates, yes. Increase
the severity of the bug first ?
Mike.
In Debian Bug tracker #264234, Thomas Hood (jdthood-aglu) wrote : | #6 |
severity 264234 serious
thanks
On Tue, 2004-08-17 at 22:21, Miquel van Smoorenburg wrote:
> Probably should upload to proposed-updates, yes. Increase
> the severity of the bug first ?
Done with this message
--
Thomas
Debian Bug Importer (debzilla) wrote : | #7 |
Automatically imported from Debian bug report #264234 http://
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <email address hidden>
Date: Sat, 07 Aug 2004 14:38:06 -0400
From: Zygo Blaxell <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: initscripts: bootclean.sh file creation vulnerability
Package: initscripts
Version: 2.86-1
Severity: normal
While rejecting modifications to bootclean.sh today, I noticed a line
that read:
:>> /tmp/.clean
This suggests at least a file creation security vulnerability exploitable
as follows:
zblaxell@dio:~$ ls -l /tmp/.clean
ls: /tmp/.clean: No such file or directory
zblaxell@dio:~$ ln -s /FOO /tmp/.clean
zblaxell@dio:~$ reboot -ndf
...one reboot later...
zblaxell@dio:~$ ls -l /FOO
-rw-r--r-- 1 root root 0 Aug 7 13:56 /FOO
The ability to create root-owned empty files with arbitrary names can
probably be used to at least create inconvenience, if not wreak more
interesting security-related havoc.
-- System Information:
Debian Release: 3.0
APT prefers testing
APT policy: (102, 'testing'), (101, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-zb-k7-smp
Locale: LANG=C, LC_CTYPE=C
Versions of packages initscripts depends on:
ii coreutils 5.2.1-2 The GNU core utilities
ii dpkg 1.10.23 Package maintenance system for Deb
ii e2fsprogs 1.35-6 The EXT2 file system utilities and
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii mount 2.11n-7 Tools for mounting and manipulatin
ii util-linux 2.11n-7 Miscellaneous system utilities.
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Sun, 8 Aug 2004 13:10:39 +0200
From: Miquel van Smoorenburg <email address hidden>
To: Zygo Blaxell <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability
On Sat, 07 Aug 2004 20:38:06, Zygo Blaxell wrote:
> Package: initscripts
> Version: 2.86-1
> Severity: normal
>
> While rejecting modifications to bootclean.sh today, I noticed a line
> that read:
>
> :>> /tmp/.clean
>
> This suggests at least a file creation security vulnerability exploitable
> as follows:
Well, it would indeed be a good idea to remove /tmp/.clean early in
the boot process to prevent this. However on a standard system this
cannot happen.
At shutdown time, /etc/init.
named, I admit) removes /tmp/.clean, so that should be sufficient.
Unless an attacker creates a symlink in /tmp/.clean and finds
a way to hard-reboot the kernel (using say a kernel vulnerability
like 2.4.25 had).
Severity can stay at "normal" for now, I guess.
Mike.
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Thu, 12 Aug 2004 10:56:36 -0400
From: Zygo Blaxell <email address hidden>
To: Miquel van Smoorenburg <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Sun, Aug 08, 2004 at 01:10:39PM +0200, Miquel van Smoorenburg wrote:
> Well, it would indeed be a good idea to remove /tmp/.clean early in
> the boot process to prevent this.=20
Actually in this particular case it will be sufficient to remove .clean
immediately before touching it:
rm -rf /tmp/.clean
:>> /tmp/.clean
The assumption that makes this safe is that evil user processes (e.g.
cron jobs, user logins, email delivers, etc) have not had a chance to
start running yet, so they can't reinsert the symlink between those
two lines.
> However on a standard system this
> cannot happen.
>=20
> At shutdown time, /etc/init.
> named, I admit) removes /tmp/.clean, so that should be sufficient.
Assuming the machine goes down cleanly, of course. Most of my system
reboots these days are due to power failures or poor resource planning
("Hmmm, I guess I can't run 50 instances of spamassassin on that machine
after all, it runs out of RAM and the watchdog kills it").
--huq684BweRXVnRxX
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD8DBQFBG4Ukgfm
gPFlmjlgiofG9Wa
=CXnz
-----END PGP SIGNATURE-----
--huq684BweRXVn
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Tue, 17 Aug 2004 21:34:52 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: Fix for sarge?
This poses a security risk and there is a straightforward fix.
Fix for sarge?
--
Thomas
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <20040817194300
Date: Tue, 17 Aug 2004 21:43:00 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: retitle 264234 to initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack,
tagging 264234
# Automatically generated email from bts, devscripts version 2.8.1
retitle 264234 initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack
tags 264234 security
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Tue, 17 Aug 2004 22:21:44 +0200
From: Miquel van Smoorenburg <email address hidden>
To: Thomas Hood <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: Fix for sarge?
On Tue, 17 Aug 2004 21:34:52, Thomas Hood wrote:
> This poses a security risk and there is a straightforward fix.
> Fix for sarge?
Probably should upload to proposed-updates, yes. Increase
the severity of the bug first ?
Mike.
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Wed, 18 Aug 2004 10:28:42 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: Fix for sarge?
severity 264234 serious
thanks
On Tue, 2004-08-17 at 22:21, Miquel van Smoorenburg wrote:
> Probably should upload to proposed-updates, yes. Increase
> the severity of the bug first ?
Done with this message
--
Thomas
Matt Zimmerman (mdz) wrote : | #15 |
Should be trivially fixable with set noclobber or similar; Martin, can you take
care of this?
In Debian Bug tracker #264234, Martin Pitt (pitti) wrote : Proposed patch | #16 |
tags 264234 patch
thanks
Hi Miquel!
Deleting */.clean before creating it is a good idea to overcome
symlink attacks. To be absolutely sure that the attacker cannot insert
a command in between, the creation command should be executed in a
noclobber environment.
I prepared a patch directly against /etc/init.
closes this security hole and works very well. You can find it on
http://
What do you think?
Thanks and have a nice day!
Martin
--
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Fri, 27 Aug 2004 11:46:51 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Proposed patch
--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=utf-8
Content-
Content-
tags 264234 patch
thanks
Hi Miquel!
Deleting */.clean before creating it is a good idea to overcome
symlink attacks. To be absolutely sure that the attacker cannot insert
a command in between, the creation command should be executed in a
noclobber environment.
I prepared a patch directly against /etc/init.
closes this security hole and works very well. You can find it on
http://
What do you think?
Thanks and have a nice day!
Martin
--=20
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://
--mYCpIKhGyMATD0i+
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBLwMKDec
76mTgPT0rAQC76j
=RaSA
-----END PGP SIGNATURE-----
--mYCpIKhGyMATD
Martin Pitt (pitti) wrote : | #18 |
fixed in sysvinit_
In Debian Bug tracker #264234, Thomas Hood (jdthood-yahoo) wrote : tagging 264235, tagging 264234 | #19 |
# Automatically generated email from bts, devscripts version 2.8.4
tags 264235 - sarge
tags 264234 sarge
Debian Bug Importer (debzilla) wrote : | #20 |
Message-Id: <20040908142319
Date: Wed, 8 Sep 2004 16:23:19 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: tagging 264235, tagging 264234
# Automatically generated email from bts, devscripts version 2.8.4
tags 264235 - sarge
tags 264234 sarge
In Debian Bug tracker #264234, Miquel van Smoorenburg (miquels) wrote : Bug#264234: fixed in sysvinit 2.86-2 | #21 |
Source: sysvinit
Source-Version: 2.86-2
We believe that the bug you reported is fixed in the latest version of
sysvinit, which is due to be installed in the Debian FTP archive:
initscripts_
to pool/main/
sysv-rc_
to pool/main/
sysvinit_
to pool/main/
sysvinit_2.86-2.dsc
to pool/main/
sysvinit_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miquel van Smoorenburg <email address hidden> (supplier of updated sysvinit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.7
Date: Mon, 6 Sep 2004 19:02:19 +0200
Source: sysvinit
Binary: sysv-rc sysvinit initscripts
Architecture: source i386 all
Version: 2.86-2
Distribution: testing-
Urgency: high
Maintainer: Miquel van Smoorenburg <email address hidden>
Changed-By: Miquel van Smoorenburg <email address hidden>
Description:
initscripts - Standard scripts needed for booting and shutting down
sysv-rc - Standard boot mechanism using symlinks in /etc/rc?.d
sysvinit - System-V like init
Closes: 264234 264894
Changes:
sysvinit (2.86-2) testing-
.
* Remove .clean file before touching it; prevents symlink attack
which in rare circumstances could result in random file creation
(closes: #264234)
* Do the above in a noclobber environment (Martin Pitt).
* Don't mount network filesystems multiple times (closes: #264894)
Files:
8ab97fc5148e8b
90207f8bbff5a7
5e5c7df26bd1dd
060405f3f92a8e
7da3a420806342
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQB1AwUBQT8CB1i
264NV7m5HHIV5k4
5skn4cZ6nILV+
=W0/V
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Wed, 08 Sep 2004 16:17:13 -0400
From: Miquel van Smoorenburg <email address hidden>
To: <email address hidden>
Subject: Bug#264234: fixed in sysvinit 2.86-2
Source: sysvinit
Source-Version: 2.86-2
We believe that the bug you reported is fixed in the latest version of
sysvinit, which is due to be installed in the Debian FTP archive:
initscripts_
to pool/main/
sysv-rc_
to pool/main/
sysvinit_
to pool/main/
sysvinit_2.86-2.dsc
to pool/main/
sysvinit_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miquel van Smoorenburg <email address hidden> (supplier of updated sysvinit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.7
Date: Mon, 6 Sep 2004 19:02:19 +0200
Source: sysvinit
Binary: sysv-rc sysvinit initscripts
Architecture: source i386 all
Version: 2.86-2
Distribution: testing-
Urgency: high
Maintainer: Miquel van Smoorenburg <email address hidden>
Changed-By: Miquel van Smoorenburg <email address hidden>
Description:
initscripts - Standard scripts needed for booting and shutting down
sysv-rc - Standard boot mechanism using symlinks in /etc/rc?.d
sysvinit - System-V like init
Closes: 264234 264894
Changes:
sysvinit (2.86-2) testing-
.
* Remove .clean file before touching it; prevents symlink attack
which in rare circumstances could result in random file creation
(closes: #264234)
* Do the above in a noclobber environment (Martin Pitt).
* Don't mount network filesystems multiple times (closes: #264894)
Files:
8ab97fc5148e8b
90207f8bbff5a7
5e5c7df26bd1dd
060405f3f92a8e
7da3a420806342
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQB1AwUBQT8CB1i
264NV7m5HHIV5k4
5skn4cZ6nILV+
=W0/V
-----END PGP SIGNATURE-----
Changed in sysvinit: | |
status: | Unknown → Fix Released |
On Sat, 07 Aug 2004 20:38:06, Zygo Blaxell wrote:
> Package: initscripts
> Version: 2.86-1
> Severity: normal
>
> While rejecting modifications to bootclean.sh today, I noticed a line
> that read:
>
> :>> /tmp/.clean
>
> This suggests at least a file creation security vulnerability exploitable
> as follows:
Well, it would indeed be a good idea to remove /tmp/.clean early in
the boot process to prevent this. However on a standard system this
cannot happen.
At shutdown time, /etc/init. d/umountnfs. sh (which is really badly
named, I admit) removes /tmp/.clean, so that should be sufficient.
Unless an attacker creates a symlink in /tmp/.clean and finds
a way to hard-reboot the kernel (using say a kernel vulnerability
like 2.4.25 had).
Severity can stay at "normal" for now, I guess.
Mike.