On Mon, 2005-12-19 at 09:14 +0100, Henrik Stoerner wrote:
On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically.
It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt
ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup.
Hobbit does create a tmp directory for itself. Unless you've changed the configuration, all temporary files are kept in the directory pointed to by the BBTMP setting in hobbitclient.cfg; by default that is ~hobbit/client/tmp/
Well, I simply installed the 1.2p1 version from the deb file on sourceforge... I didn't customise/change anything at all. Perhaps this is different in the deb package version ??
You're right that the statically named "msg.txt" file could be a problem. In the current snapshot I've changed the client script to always generate the message using a temporary filename ("msg.txt.$$" which uses the PID of the client process - it changes from time to time). The hobbitclient.sh script now does
TEMPFILE="$BBTMP/msg.txt.$$" rm -f $TEMPFILE touch $TEMPFILE ... more commands to build and send the client message ... rm -f $BBTMP/msg.txt mv $TEMPFILE $BBTMP/msg.txt
If using a private tmp directory, then I don't really see this as a problem.. however, how about something like:
if [ -x /bin/mktemp ]
then
MKTEMP=/bin/mktemp
else if [ -s /usr/bin/mktemp ]
then
MKTEMP=/usr/bin/mktemp
fi
if [ ! -z MKTEMP ]
then
TEMPFILE=$MKTEMP $BBTMP/msg.txt.XXXXXXX
else
TEMPFILE="$BBTMP/msg.txt.$$"
rm -f $TEMPFILE
touch $TEMPFILE
etc....
fi
that way on hosts that have a mktemp in some 'standard' location, then it will default to being 'more' secure....
The reason why I save the latest message in msg.txt is for debugging only. The ideal thing would be to use the "mktemp" command, but that is not available on all systems where the client may run.
This has been in the snapshots since November.
I suppose also, a simple if [ -e $TEMPFILE ] could check to see if the file exists, and then just immediately send some red alert to hobbit server with a reason.... "Possible symlink attack, file xyz already exists" etc....
Anyway, for me, it isn't a big concern, just noticed it, and thought I'd ask about it....
Regards, Adam