Just thought I might clarify tmp file handling for hobbit and hobbit client specifically.
It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt
ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup.
The vmstat file would be easier to do, since it is removed each time after use.
Just thought it would be nice to use a tmp dir specifically for hobbit, such as /tmp/hobbit or /usr/lib/hobbit/client/tmp etc .....
Regards, Adam
In my installation I have 2 hobbit-tmpdirectories: $HOBBITHOME/client/tmp and $HOBBITHOME/server/tmp
I don't understand what you mean, because they are created automatically.
$ ll total 112 -rw------- 1 hobbit users 39 Dec 19 09:05 BB-DISKCHK.TMP -rw-rw-rw- 1 hobbit users 307 Dec 19 09:06 hobbit_vmstat.18544 -rw-rw-rw- 1 hobbit users 40935 Dec 19 09:06 msg.txt $ pwd /home/hobbit/client/tmp
Regards Lars
----- Original Message ----- From: "Adam Goryachev" <mailinglists at websitemanagers.com.au> To: <hobbit at hswn.dk> Sent: Monday, December 19, 2005 5:33 AM Subject: [hobbit] Temporary Files
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically.
It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt
ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup.
The vmstat file would be easier to do, since it is removed each time after use.
Just thought it would be nice to use a tmp dir specifically for hobbit, such as /tmp/hobbit or /usr/lib/hobbit/client/tmp etc .....
Regards, Adam
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically.
It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt
ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup.
The vmstat file would be easier to do, since it is removed each time after use.
Just thought it would be nice to use a tmp dir specifically for hobbit, such as /tmp/hobbit or /usr/lib/hobbit/client/tmp etc .....
Hobbit does create a tmp directory for itself. Unless you've changed the configuration, all temporary files are kept in the directory pointed to by the BBTMP setting in hobbitclient.cfg; by default that is ~hobbit/client/tmp/
The server uses the BBTMP setting from hobbitserver.cfg, which defaults to ~hobbit/server/tmp/
You're right that the statically named "msg.txt" file could be a problem. In the current snapshot I've changed the client script to always generate the message using a temporary filename ("msg.txt.$$" which uses the PID of the client process - it changes from time to time). The hobbitclient.sh script now does
TEMPFILE="$BBTMP/msg.txt.$$"
rm -f $TEMPFILE
touch $TEMPFILE
... more commands to build and send the client message ...
rm -f $BBTMP/msg.txt
mv $TEMPFILE $BBTMP/msg.txtThe reason why I save the latest message in msg.txt is for debugging only. The ideal thing would be to use the "mktemp" command, but that is not available on all systems where the client may run.
This has been in the snapshots since November.
Regards, Henrik
On Mon, 2005-12-19 at 09:14 +0100, Henrik Stoerner wrote:
On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically.
It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt
ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup.
Hobbit does create a tmp directory for itself. Unless you've changed the configuration, all temporary files are kept in the directory pointed to by the BBTMP setting in hobbitclient.cfg; by default that is ~hobbit/client/tmp/
Well, I simply installed the 1.2p1 version from the deb file on sourceforge... I didn't customise/change anything at all. Perhaps this is different in the deb package version ??
You're right that the statically named "msg.txt" file could be a problem. In the current snapshot I've changed the client script to always generate the message using a temporary filename ("msg.txt.$$" which uses the PID of the client process - it changes from time to time). The hobbitclient.sh script now does
TEMPFILE="$BBTMP/msg.txt.$$" rm -f $TEMPFILE touch $TEMPFILE ... more commands to build and send the client message ... rm -f $BBTMP/msg.txt mv $TEMPFILE $BBTMP/msg.txt
If using a private tmp directory, then I don't really see this as a problem.. however, how about something like:
if [ -x /bin/mktemp ]
then
MKTEMP=/bin/mktemp
else if [ -s /usr/bin/mktemp ]
then
MKTEMP=/usr/bin/mktemp
fi
if [ ! -z MKTEMP ]
then
TEMPFILE=$MKTEMP $BBTMP/msg.txt.XXXXXXX
else
TEMPFILE="$BBTMP/msg.txt.$$"
rm -f $TEMPFILE
touch $TEMPFILE
etc....
fi
that way on hosts that have a mktemp in some 'standard' location, then it will default to being 'more' secure....
The reason why I save the latest message in msg.txt is for debugging only. The ideal thing would be to use the "mktemp" command, but that is not available on all systems where the client may run.
This has been in the snapshots since November.
I suppose also, a simple if [ -e $TEMPFILE ] could check to see if the file exists, and then just immediately send some red alert to hobbit server with a reason.... "Possible symlink attack, file xyz already exists" etc....
Anyway, for me, it isn't a big concern, just noticed it, and thought I'd ask about it....
Regards, Adam
participants (3)
-
henrik@hswn.dk
-
lars.ebeling@leopg9.no-ip.org
-
mailinglists@websitemanagers.com.au