Bugtraq mailing list archives

Bash: Security problem during compilation time.

From: stervino () INFO ENSERB U-BORDEAUX FR (Alexandre Stervinou)
Date: Tue, 17 Mar 1998 07:36:30 +0100


Introduction:
        This is another /tmp symlink problem. Bash 2.01.1 & previous
        releases are concerned. Authors have been warned.
        I'd like to apologize if I missed a previous post about this
        bug.

Description:
        File concerned: bash-2.01.1/builtins/psize.sh
        Problem: A temporary file called /tmp/pipesize is created at
each compilation, without checking its existence, file permissions
and/or the owner of this file. This may lead to a data integrity
problem if someone has created before a symlink to another file on the
system. At the end of the compilation, the person who did it could
realize that one of his own file has been erased, if the symlink was
pointed to it.

Repeat-By:
        Let's take a sensitive case: root will compile bash. A user
        called "user" knows this symlink problem and decides to
        provoke the crushing of /etc/passwd.

        user$ln -s /etc/passwd /tmp/pipesize

        One day, root wants to compile bash for his system. In the
        source directory of bash:

        root#./configure
        root#make

        And now, the /etc/passwd file contains the pipe size
        corresponding to the OS.

Fix(?):
        Here is a simple fix, which is not perfect, but reduces the easy
way of doing such a damage to a less obvious race condition issue:

#-----------BEGIN psize.sh------------
#! /bin/sh
#
# psize.sh -- determine this system's pipe size, and write a define to
#             pipesize.h so ulimit.c can use it.
#
# modified by Alexandre Stervinou, April 17th, 1998 -- possible symlink
problem

echo "/*"
echo " * pipesize.h"
echo " *"
echo " * This file is automatically generated by psize.sh"
echo " * Do not edit!"
echo " */"
echo ""

TMPDIR=/tmp
TMPNAME=pipesize.$$

trap 'rm -rf $TMPDIR/$TMPNAME' 1 2 3 6 15

if [ ! -e $TMPDIR/$TMPNAME ]; then

    ./psize.aux 2>$TMPDIR/$TMPNAME | sleep 3

    if [ -s $TMPDIR/$TMPNAME ]; then
        echo "#define PIPESIZE `cat $TMPDIR/$TMPNAME`"
    else
        echo "#define PIPESIZE 512"
    fi

    rm -f $TMPDIR/$TMPNAME

else
    exit 1
fi

exit 0
#-----------END psize.sh------------
--
                 Alexandre Stervinou
       mailto:stervino () info enserb u-bordeaux fr

Current thread:

Ascend Kill II - C version Aleph One (Mar 16)
- Ascend Filter Setup Mark Schaefer (Mar 16)
- Bash: Security problem during compilation time. Alexandre Stervinou (Mar 16)
- Another day, another race - lynx 2.7.1 Michal Zalewski (Mar 17)
  - Ascend Kill II - perl version Kit Knox (Mar 17)
  - Re: Another day, another race - lynx 2.7.1 Thomas Roessler (Mar 17)
    - Re: Another day, another race - lynx 2.7.1 Theo de Raadt (Mar 17)
  - Re: Another day, another race - lynx 2.7.1 Daniel Reed (Mar 17)
  - Re: LinCity Buffer Overflow John Goerzen (Mar 17)
- Very, very ugly remote lynx 2.7.1 hole Michal Zalewski (Mar 17)
  - Re: Very, very ugly remote lynx 2.7.1 hole Lumpy Lynx (Mar 17)