Package: pcp
Version: 3.10.1
Tags: security
The postinst script does this:
for dir in /var/tmp/mmv /var/tmp/pmdabash
do
[ -d $dir -a -G $dir -a -O $dir ] && mv $dir /var/lib/pcp/tmp
done
The intention here was to move only root-owned directories. But there
are at least to ways to (partially) defeat this check:
1) On systems that lack symlink protection
(/proc/sys/fs/protected_symlinks), local attacker could:
- create /var/tmp/mmv as a symlink to a root-owned directory;
- then, between the security check and the mv(1) call, switch the
symlink to point to something else.
2) On systems that lack hardlink protection
(/proc/sys/fs/protected_hardlinks), local attacker could:
- create /var/tmp/mmv as a regular directory, so that the [ -d $dir ]
check passes;
- then rmdir /var/tmp/mmv, and make /var/tmp/mmv a hardlink to a
root-owned file, so that the [ -G $dir ] and [ -O $dir ] checks pass.
I'd suggest using stat(1) to check the file type and ownership
atomically, and without following symlinks. Something like this should
work:
[ "$(LC_ALL=C stat -c '%u %g %F' $dir)" = "0 0 directory" ] && mv $dir
/var/lib/pcp/tmp
--
Jakub Wilk
|