Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
merge 494993 468159 thanks Sven Dowideit a écrit : how would this would be different from ? Debian Bug report logs - #468159 twiki: Redirect after Template Login failes Oops. Damn, I forgot to check if that it had been found already. I was so sure it would have been fixed by the time if such thing would have been reported already Sorry for duplicate. In any case I guess this redirect will be solved soon now it has your attention. Merging both tickets, then. Olivier Berger wrote: On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote: the best irony of this bug, is : I've implemented Joey's suggestion of 1777 O_EXCL - mostly the files in tmp are written by CGI::Session, that takes care of things. I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt to filling /var By coincidence (testing authentication through CAS servers for TWiki, and tracing what happens in TemplateLogin), I happend to run into that O_EXCL permission on passthru files (dunno what they are, btw), and notice that apparently #444982 wasn't fixed the right way it seems. See more details in newly filed #494993. Sad irony ;-) Best regards, -- Olivier BERGER [EMAIL PROTECTED] - OpenPGP: 6B829EEC Ingénieur Recherche - Dept INF - INT Evry (http://www.int-edu.eu) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
tags 494648 patch thanks Hi, Sven see my patch, please -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 diff -u twiki-4.1.2/debian/changelog twiki-4.1.2/debian/changelog --- twiki-4.1.2/debian/changelog +++ twiki-4.1.2/debian/changelog @@ -1,3 +1,12 @@ +twiki (1:4.1.2-3.3) unstable; urgency=low + + * Non-maintainer upload. + * Fix security hole, closes: #494648. + * Build instructions moved from section -arch to -indep (closes lintian +warning). + + -- Dmitry E. Oboukhov [EMAIL PROTECTED] Thu, 14 Aug 2008 10:23:41 +0400 + twiki (1:4.1.2-3.2) unstable; urgency=high * Non-maintainer upload. diff -u twiki-4.1.2/debian/LocalSite.cfg twiki-4.1.2/debian/LocalSite.cfg --- twiki-4.1.2/debian/LocalSite.cfg +++ twiki-4.1.2/debian/LocalSite.cfg @@ -11,8 +11,8 @@ $TWiki::cfg{Site}{CharSet} = 'iso-8859-15'; $TWiki::cfg{LoginManager} = 'TWiki::Client::ApacheLogin'; $TWiki::cfg{Plugins}{WysiwygPlugin}{Enabled} = 1; -$TWiki::cfg{RCS}{WorkAreaDir} = '/tmp/twiki'; -$TWiki::cfg{TempfileDir} = '/tmp/twiki'; +$TWiki::cfg{RCS}{WorkAreaDir} = '-UNDEFINED_TEMP_DIR-'; +$TWiki::cfg{TempfileDir} = '-UNDEFINED_TEMP_DIR-'; $TWiki::cfg{WorkingDir} = '/var/lib/twiki/working'; 1; diff -u twiki-4.1.2/debian/postinst twiki-4.1.2/debian/postinst --- twiki-4.1.2/debian/postinst +++ twiki-4.1.2/debian/postinst @@ -10,6 +10,29 @@ # Source debconf library. . /usr/share/debconf/confmodule +MAIN_CONFIG=/etc/twiki/LocalSite.cfg +CONFIG_TEMP_DIR=`cat $MAIN_CONFIG \ +|sed 's/#.*//'| grep TempfileDir | tail -n1\ +|sed s/.*\?=[[:space:]]*'\(.*\?\)'.*/\1/` +UNDEFINED_TEMP_DIR_PATTERN='-UNDEFINED_TEMP_DIR-' +TWIKI_SESSION_DIR=/tmp/twiki# first attempt to /tmp/twiki + +TWIKI_SESSION_PERMISSIONS=1770 + +create_session_dir() +{ +# We make TWIKI_SESSION_DIR +if ! mkdir $TWIKI_SESSION_DIR /dev/null; then +TWIKI_SESSION_DIR=`mktemp -d /tmp/twiki.XX` +fi +chmod $TWIKI_SESSION_PERMISSIONS $TWIKI_SESSION_DIR +chown $TWIKI_OWNER:www-data $TWIKI_SESSION_DIR + +perl -pi \ +-e s[(TempfileDir|WorkAreaDir).*][\$1} = '$TWIKI_SESSION_DIR';] \ +$MAIN_CONFIG +} + # summary of how this script can be called: #* postinst `configure' most-recently-configured-version @@ -58,7 +81,7 @@ db_get twiki/defaultUrlHost # be more robust later: -perl -pi~ -e '$U=q{'$RET'}; s{http://your.domain.com}{$U}g;' /etc/twiki/LocalSite.cfg +perl -pi~ -e '$U=q{'$RET'}; s{http://your.domain.com}{$U}g;' $MAIN_CONFIG perl -pi~ -e '$U=q{'$RET'}; s{http://your.domain.com}{$U}g;' /etc/twiki/apache.conf #remove the double //cgi-bin caused by putting a / at the end of the hostUrl perl -pi~ -e 's{/(/cgi-bin)}{$1}g;' /etc/twiki/apache.conf @@ -155,15 +178,26 @@ fi chown $TWIKI_OWNER.www-data /var/lib/twiki/working/work_areas - #, mailnotify etc may be running _not_ as www-data - #and for some reason create a session - #use 1777 to prevent third parties replacing the file with a doctored one - #put into /tmp/twiki so that the open dir can't be used by others to fill up /var, thus crashing all logging - if [ ! -e /tmp/twiki ]; then - mkdir /tmp/twiki - fi - chmod 1777 /tmp/twiki - chown $TWIKI_OWNER.www-data /tmp/twiki + +# create session dir (if needed) +if echo $CONFIG_TEMP_DIR|grep -q -- $UNDEFINED_TEMP_DIR_PATTERN; then + # NEW install + create_session_dir +else + if test -d $TWIKI_SESSION_DIR; then +found_owner=`ls -ld $TWIKI_SESSION_DIR|awk '{ print $3 }'` +found_group=`ls -ld $TWIKI_SESSION_DIR|awk '{ print $4 }'` +if ! test $found_owner = $TWIKI_OWNER -a \ + $found_group = www-data; then + # error permissions, recreate +create_session_dir +fi +else +# $TWIKI_SESSION_DIR is not a directory + create_session_dir +fi +fi + chmod $TWIKI_SESSION_PERMISSIONS $TWIKI_SESSION_DIR #add softlinks to make adding plugins easier () if [ ! -e /var/lib/twiki/lib ]; then @@ -181,7 +215,7 @@ chown -R $TWIKI_OWNER.www-data /var/log/twiki chmod -R 755 /var/log/twiki - chown $TWIKI_OWNER.www-data /etc/twiki/LocalSite.cfg + chown $TWIKI_OWNER.www-data $MAIN_CONFIG # erase configuser password db_reset twiki/adminpassword diff -u twiki-4.1.2/debian/rules twiki-4.1.2/debian/rules --- twiki-4.1.2/debian/rules +++ twiki-4.1.2/debian/rules @@ -124,10 +124,6 @@ # Build architecture-independent files here. binary-indep: build install -# We have nothing to do by default. - -# Build architecture-dependent files here. -binary-arch: build install dh_testdir dh_testroot dh_installdebconf @@ -156,6 +152,10 @@ dh_md5sums dh_builddeb +#
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
similar to the change I have just coded and tested :) thanks Dmitry E. Oboukhov wrote: tags 494648 patch thanks Hi, Sven see my patch, please -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Hi Sven, * Sven Dowideit [EMAIL PROTECTED] [2008-08-13 11:05]: I'd need a second opinion on this report please. My recollection was that we squashed this in Bug#444982 If not, is there any chance that automated tool users are at least required to help out with a bit more information that the alarmist text below? I will have to assume that this report is indeed incorrect unless I hear otherwise. Yes it looks indeed like this bug is invalid but this would be also hard to spot in a script. There might be still a better solution than storing these files in /tmp so people might not report this again in the future. What about /var/run? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpl2QluWh9ys.pgp Description: PGP signature
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Nico, /var/run - I'll keep that in mind for post lenny - I was really hoping that debian had a place for this sort of session data, but didn't manage to get there - thanks :) I'm hoping for the next release that I can move everything into /var/twiki (rather than scattered around the fs, including pollution the perl lib dirs) so that TWiki people stop being totally confused by the setup :/ Sven Nico Golde wrote: Hi Sven, * Sven Dowideit [EMAIL PROTECTED] [2008-08-13 11:05]: I'd need a second opinion on this report please. My recollection was that we squashed this in Bug#444982 If not, is there any chance that automated tool users are at least required to help out with a bit more information that the alarmist text below? I will have to assume that this report is indeed incorrect unless I hear otherwise. Yes it looks indeed like this bug is invalid but this would be also hard to spot in a script. There might be still a better solution than storing these files in /tmp so people might not report this again in the future. What about /var/run? Kind regards Nico -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote: I will have to assume that this report is indeed incorrect unless I hear otherwise. On my Debian Etch system: [EMAIL PROTECTED]:~$ apt-get source twiki Reading package lists... Done Building dependency tree... Done Need to get 4304kB of source archives. Get: 1 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (dsc) [639B] Get: 2 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (tar) [4264kB] Get: 3 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (diff) [39.3kB] Fetched 4304kB in 7s (546kB/s) gpg: Signature made Wed 21 Feb 2007 06:51:24 GMT using DSA key ID C0143D2D gpg: Can't check signature: public key not found dpkg-source: extracting twiki in twiki-4.0.5 dpkg-source: unpacking twiki_4.0.5.orig.tar.gz dpkg-source: applying ./twiki_4.0.5-9.1.diff.gz [EMAIL PROTECTED]:~$ cd twiki-4.0.5/ [EMAIL PROTECTED]:~/twiki-4.0.5$ grep /tmp/twiki debian/postinst if [ ! -e /tmp/twiki ]; then mkdir /tmp/twiki chmod 777 /tmp/twiki chown $TWIKI_OWNER.www-data /tmp/twiki [EMAIL PROTECTED]:~/twiki-4.0.5$ So : 1. If /tmp/twiki doesn't exist it is made as a directory. 2. If it does exist its permissions are changed - unconditionally Let me exploit it: [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo apt-get install twiki Password: Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libalgorithm-diff-perl liblocale-maketext-lexicon-perl libtext-diff-perl rcs Suggested packages: ... ... Setting up libtext-diff-perl (0.35-2) ... Setting up rcs (5.7-18) ... Setting up twiki (4.0.5-9.1) ... Adding password for user TWikiGuest Reloading web server config...3224 Now what happened? Nothing. The directory /tmp/twiki was created and my symlink wasn't touched. So we look safe. But I'm not convinced. I know that I can coerce it into working: [EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure Reloading web server config...3224 . [EMAIL PROTECTED]:~$ ls -l /etc/shadow -rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow I guess the difference is relating to the presence, or not, of /var/lib/twiki/data ? Looks like merely installing the package wouldn't trigger this, but an upgrade might. Or something like that ! Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit : Nico, /var/run - I'll keep that in mind for post lenny - I was really hoping that debian had a place for this sort of session data, but didn't manage to get there - thanks :) Maybe there is a web apps policy to be determined here (unless it exists alread ?) For instance, when considering recent issues with session files in phpgroupware, I noticed that with php5, by default sessions may be saved in /var/lib/php5/. But as we needed some kind of admin management of sessions of users (like killing them) it led us to have them (back) into /var/lib/phpgroupware/sessions/. I guess I've asked for some policy or guidelines but got no answer. I'm hoping for the next release that I can move everything into /var/twiki (rather than scattered around the fs, including pollution the perl lib dirs) so that TWiki people stop being totally confused by the setup :/ Hmmm... It seems to me it wouldn't be a good idea. See http://www.debian.org/doc/debian-policy/ch-opersys.html#s-fhs and http://www.debian.org/doc/packaging-manuals/fhs/fhs-2.3.html for reference. I guess code should be in /usr/ and not in /var/ right ? I guess that current dir layout is mostly good, as there are proper symlinks in /var/lib/twiki (bin, lib, data, pub, etc.). Once you're looking for something starting from /var/lib/twiki, you should find it (for TWiki folks). Still, that /usr/share/perl5/TWiki* may not be desirable, yes. Bt I'm pretty sure the configuration allows some curstomization of the perl path. Still I don't know which path would be best. Maybe something like /usr/lib/twiki/ ? Why change something that works ? ;) My 2 cents. Best regards, -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Hi Olivier, * Olivier Berger [EMAIL PROTECTED] [2008-08-13 12:53]: Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit : [...] I'm hoping for the next release that I can move everything into /var/twiki (rather than scattered around the fs, including pollution the perl lib dirs) so that TWiki people stop being totally confused by the setup :/ Hmmm... It seems to me it wouldn't be a good idea. See http://www.debian.org/doc/debian-policy/ch-opersys.html#s-fhs and http://www.debian.org/doc/packaging-manuals/fhs/fhs-2.3.html for reference. I guess code should be in /usr/ and not in /var/ right ? twiki dumps code in this tmpdir? Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpYKLcy3xNyx.pgp Description: PGP signature
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Steve, yes but your information is outdated. (although i'm embarrassed that we didn't also resolve it in the etch version :/) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982 Found in versions 4.1.2-1, twiki/1:4.1.2-2 Fixed in version twiki/1:4.1.2-3 and so, it seems to me that we're ok for the version that is going into lenny - I'll close it as soon as i can find the docco for howto do that :/ Sven Steve Kemp wrote: On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote: I will have to assume that this report is indeed incorrect unless I hear otherwise. On my Debian Etch system: [EMAIL PROTECTED]:~$ apt-get source twiki Reading package lists... Done Building dependency tree... Done Need to get 4304kB of source archives. Get: 1 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (dsc) [639B] Get: 2 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (tar) [4264kB] Get: 3 http://mirror.bytemark.co.uk etch/main twiki 1:4.0.5-9.1 (diff) [39.3kB] Fetched 4304kB in 7s (546kB/s) gpg: Signature made Wed 21 Feb 2007 06:51:24 GMT using DSA key ID C0143D2D gpg: Can't check signature: public key not found dpkg-source: extracting twiki in twiki-4.0.5 dpkg-source: unpacking twiki_4.0.5.orig.tar.gz dpkg-source: applying ./twiki_4.0.5-9.1.diff.gz [EMAIL PROTECTED]:~$ cd twiki-4.0.5/ [EMAIL PROTECTED]:~/twiki-4.0.5$ grep /tmp/twiki debian/postinst if [ ! -e /tmp/twiki ]; then mkdir /tmp/twiki chmod 777 /tmp/twiki chown $TWIKI_OWNER.www-data /tmp/twiki [EMAIL PROTECTED]:~/twiki-4.0.5$ So : 1. If /tmp/twiki doesn't exist it is made as a directory. 2. If it does exist its permissions are changed - unconditionally Let me exploit it: [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo apt-get install twiki Password: Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libalgorithm-diff-perl liblocale-maketext-lexicon-perl libtext-diff-perl rcs Suggested packages: ... ... Setting up libtext-diff-perl (0.35-2) ... Setting up rcs (5.7-18) ... Setting up twiki (4.0.5-9.1) ... Adding password for user TWikiGuest Reloading web server config...3224 Now what happened? Nothing. The directory /tmp/twiki was created and my symlink wasn't touched. So we look safe. But I'm not convinced. I know that I can coerce it into working: [EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure Reloading web server config...3224 . [EMAIL PROTECTED]:~$ ls -l /etc/shadow -rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow I guess the difference is relating to the presence, or not, of /var/lib/twiki/data ? Looks like merely installing the package wouldn't trigger this, but an upgrade might. Or something like that ! Steve -- -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
na, sorry, twiki dumps session data into /tmp/twiki the /var vs /usr thing is a separate thing thta non-DD's get frustrated with - basically, most people expect twiki to be laid out in the same way as it is on non-debian system - everything under one twiki dir. Debian packaging policy confuses the hell out of them. Nico Golde wrote: Hi Olivier, * Olivier Berger [EMAIL PROTECTED] [2008-08-13 12:53]: Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit : [...] I'm hoping for the next release that I can move everything into /var/twiki (rather than scattered around the fs, including pollution the perl lib dirs) so that TWiki people stop being totally confused by the setup :/ Hmmm... It seems to me it wouldn't be a good idea. See http://www.debian.org/doc/debian-policy/ch-opersys.html#s-fhs and http://www.debian.org/doc/packaging-manuals/fhs/fhs-2.3.html for reference. I guess code should be in /usr/ and not in /var/ right ? twiki dumps code in this tmpdir? Cheers Nico -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Yes, I would suggest that there is a need for more detailed web apps policies - not just for where session files should be placed safely, but also things like safe and consistent ways to configure the webservers (apache1 vs apache2 are (or were last i looked) already a pain), and similarly for module support - like turning on mod_rewrite on the different systems. the best irony of this bug, is : I've implemented Joey's suggestion of 1777 O_EXCL - mostly the files in tmp are written by CGI::Session, that takes care of things. I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt to filling /var Sven Olivier Berger wrote: Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit : Nico, /var/run - I'll keep that in mind for post lenny - I was really hoping that debian had a place for this sort of session data, but didn't manage to get there - thanks :) Maybe there is a web apps policy to be determined here (unless it exists alread ?) For instance, when considering recent issues with session files in phpgroupware, I noticed that with php5, by default sessions may be saved in /var/lib/php5/. But as we needed some kind of admin management of sessions of users (like killing them) it led us to have them (back) into /var/lib/phpgroupware/sessions/. I guess I've asked for some policy or guidelines but got no answer. I'm hoping for the next release that I can move everything into /var/twiki (rather than scattered around the fs, including pollution the perl lib dirs) so that TWiki people stop being totally confused by the setup :/ Hmmm... It seems to me it wouldn't be a good idea. See http://www.debian.org/doc/debian-policy/ch-opersys.html#s-fhs and http://www.debian.org/doc/packaging-manuals/fhs/fhs-2.3.html for reference. I guess code should be in /usr/ and not in /var/ right ? I guess that current dir layout is mostly good, as there are proper symlinks in /var/lib/twiki (bin, lib, data, pub, etc.). Once you're looking for something starting from /var/lib/twiki, you should find it (for TWiki folks). Still, that /usr/share/perl5/TWiki* may not be desirable, yes. Bt I'm pretty sure the configuration allows some curstomization of the perl path. Still I don't know which path would be best. Maybe something like /usr/lib/twiki/ ? Why change something that works ? ;) My 2 cents. Best regards, -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Le mercredi 13 août 2008 à 11:12 +0100, Steve Kemp a écrit : On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote: I know that I can coerce it into working: [EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure Reloading web server config...3224 . [EMAIL PROTECTED]:~$ ls -l /etc/shadow -rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow I guess the difference is relating to the presence, or not, of /var/lib/twiki/data ? Looks like merely installing the package wouldn't trigger this, but an upgrade might. Or something like that ! And note that it may also be the same on a second install too, if after a first install, and a first removal, but which may have left over stuff in /var/lib/twiki/data ... which is not necessarily automatically purged on removal :-/ Just my 2 cents, -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
no, its got nothing to do with /var/lib/twiki/data etc, its the location for session data - produced by CGI::Session etc. Olivier Berger wrote: Le mercredi 13 août 2008 à 11:12 +0100, Steve Kemp a écrit : On Wed Aug 13, 2008 at 11:31:54 +1000, Sven Dowideit wrote: I know that I can coerce it into working: [EMAIL PROTECTED]:~$ sudo rm -rf /tmp/twiki [EMAIL PROTECTED]:~$ ln -s /etc/shadow /tmp/twiki [EMAIL PROTECTED]:~$ sudo /var/lib/dpkg/info/twiki.postinst configure Reloading web server config...3224 . [EMAIL PROTECTED]:~$ ls -l /etc/shadow -rwxrwxrwx 1 www-data www-data 1093 2008-08-13 10:35 /etc/shadow I guess the difference is relating to the presence, or not, of /var/lib/twiki/data ? Looks like merely installing the package wouldn't trigger this, but an upgrade might. Or something like that ! And note that it may also be the same on a second install too, if after a first install, and a first removal, but which may have left over stuff in /var/lib/twiki/data ... which is not necessarily automatically purged on removal :-/ Just my 2 cents, -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideitop=indexexact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On Wed Aug 13, 2008 at 22:51:00 +1000, Sven Dowideit wrote: no, its got nothing to do with /var/lib/twiki/data etc, its the location for session data - produced by CGI::Session etc. Yes it does. The code we're talking about is contained in the file debian/postinst, and only executes under the following condition: # create initial htpasswd, if needed if [ -e /var/lib/twiki/data ]; then ... ... #create securer-twiki session dir mkdir ... fi My understanding of the discussion thus far is: a. This is a genuine bug. b. Which has been fixed. c. Except in Etch. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Le mercredi 13 août 2008 à 12:52 +0200, Olivier Berger a écrit : Le mercredi 13 août 2008 à 20:06 +1000, Sven Dowideit a écrit : Nico, /var/run - I'll keep that in mind for post lenny - I was really hoping that debian had a place for this sort of session data, but didn't manage to get there - thanks :) Maybe there is a web apps policy to be determined here (unless it exists alread ?) For instance, when considering recent issues with session files in phpgroupware, I noticed that with php5, by default sessions may be saved in /var/lib/php5/. But as we needed some kind of admin management of sessions of users (like killing them) it led us to have them (back) into /var/lib/phpgroupware/sessions/. I guess I've asked for some policy or guidelines but got no answer. Le mercredi 13 août 2008 à 22:12 +1000, Sven Dowideit a écrit : the best irony of this bug, is : I've implemented Joey's suggestion of 1777 O_EXCL - mostly the files in tmp are written by CGI::Session, that takes care of things. I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt to filling /var I'm not sure it's safe to remind old discussions about #444982 ;-), but anyway, looks to me like the filling of /var should be avoided by TWiki if possible, at least if we speak about temporary files that would never be deleted (such as session files, since you don't know if the user will continue the Web app's session, and need to keep them for some while, in principle. Timeout may depend on apps there, however). As I understand it, wrt session files created with CGI::Session, they should be named in a consistent way, AFAIK (cgisess_ prefix, if I can trust man CGI::Session::Driver::file, and no further customizations). Maybe a storage in some /var/[run/|tmp/|lib/twiki/tmp] (please correct me with proper path wrt policy+FHS) and a cron script would be best ? Like for php5 : /etc/cron.d/php5 : 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] [ -d /var/lib/php5 ] find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm But maybe it would be best to have some policy concerning CGI:Session's default dir and purge cronjob, and no overloading of of the default storage path, like in : new CGI::Session(driver:file, $sid, {Directory='whatever /tmp dir'}); in perl apps using it ? Of course there may be some garbage collecting on these session files active here (for instance in php, its deactivated by default, I think). With respect to other temp files stored in {TempfileDir}, then I expect them to be auto-deleted by the script which uses them, so there should be less risks of filling /var. I guess much of this discussion is not twiki specific and relates to use of CGI::Session... and may apply to other web packages too... hence area for other security checks ? (and policy ?) My 2 cents again. -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On 13:57 Wed 13 Aug , Steve Kemp wrote: SK On Wed Aug 13, 2008 at 22:51:00 +1000, Sven Dowideit wrote: SK no, its got nothing to do with /var/lib/twiki/data etc, its the location SK for session data - produced by CGI::Session etc. SK Yes it does. SK The code we're talking about is contained in the file debian/postinst, SK and only executes under the following condition: SK # create initial htpasswd, if needed SK if [ -e /var/lib/twiki/data ]; then SK ... SK ... SK #create securer-twiki session dir SK mkdir ... SK fi SK My understanding of the discussion thus far is: SK a. This is a genuine bug. SK b. Which has been fixed. Where? $curl http://ftp.nl.debian.org/debian/pool/main/t/twiki/twiki_4.1.2-3.2.diff.gz 2/dev/null|gunzip|grep -A 219 '^[+]\{3\}.*postinst'|grep '/tmp/' + #put into /tmp/twiki so that the open dir can't be used by others to fill up /var, thus crashing all logging + if [ ! -e /tmp/twiki ]; then + mkdir /tmp/twiki + chmod 1777 /tmp/twiki + chown $TWIKI_OWNER.www-data /tmp/twiki http://packages.qa.debian.org/t/twiki.html Stable 1:4.0.5-9.1 Testing 1:4.1.2-3.2 Unstable 1:4.1.2-3.2 for etch: $ curl http://ftp.nl.debian.org/debian/pool/main/t/twiki/twiki_4.0.5-9.1.diff.gz 2/dev/null |gunzip|grep -A 219 '^[+]\{3\}.*postinst'|grep '/tmp/' + if [ ! -e /tmp/twiki ]; then + mkdir /tmp/twiki + chmod 777 /tmp/twiki + chown $TWIKI_OWNER.www-data /tmp/twiki SK c. Except in Etch. and lenny and sid SK Steve -- ... mpd playing: U.D.O. - Man And Machine . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Le mercredi 13 août 2008 à 13:57 +0100, Steve Kemp a écrit : My understanding of the discussion thus far is: a. This is a genuine bug. b. Which has been fixed. c. Except in Etch. No, as : Le mercredi 13 août 2008 à 16:39 +0400, Dmitry E. Oboukhov a écrit : reopen 494648 thanks If you want, You may merge the bugs 444982 494648, dont close! $ ln -s /etc/shadow /tmp/twiki $ LANG=C sudo apt-get install twiki Reading package lists... Done Building dependency tree Reading state information... Done Setting up twiki (1:4.1.2-3.2) ... Adding password for user TWikiGuest Adding password for user admin reloading apache2 config Reloading web server config: apache2. $ ll /etc/shadow -rwxrwxrwt 1 www-data www-data 1339 Июл 28 10:26 /etc/shadow I guess it's still there for lenny, then. Regards, -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
so Dmitry, if you were trying to actually help get this fixed, I presume you would have suggested that I just patch the code to rm /tmp/twiki and then create it? or what are you actually suggesting? Sven Dmitry E. Oboukhov wrote: Where? $curl http://ftp.nl.debian.org/debian/pool/main/t/twiki/twiki_4.1.2-3.2.diff.gz 2/dev/null|gunzip|grep -A 219 '^[+]\{3\}.*postinst'|grep '/tmp/' + #put into /tmp/twiki so that the open dir can't be used by others to fill up /var, thus crashing all logging + if [ ! -e /tmp/twiki ]; then + mkdir /tmp/twiki + chmod 1777 /tmp/twiki + chown $TWIKI_OWNER.www-data /tmp/twiki http://packages.qa.debian.org/t/twiki.html Stable 1:4.0.5-9.1 Testing 1:4.1.2-3.2 Unstable 1:4.1.2-3.2 for etch: $ curl http://ftp.nl.debian.org/debian/pool/main/t/twiki/twiki_4.0.5-9.1.diff.gz 2/dev/null |gunzip|grep -A 219 '^[+]\{3\}.*postinst'|grep '/tmp/' + if [ ! -e /tmp/twiki ]; then + mkdir /tmp/twiki + chmod 777 /tmp/twiki + chown $TWIKI_OWNER.www-data /tmp/twiki SK c. Except in Etch. and lenny and sid SK Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote: so Dmitry, if you were trying to actually help get this fixed, I presume you would have suggested that I just patch the code to rm /tmp/twiki and then create it? or what are you actually suggesting? No. Don't touch/use predictable file names in /tmp. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
these are _WEB_ session files. there are no user directories. Dmitry E. Oboukhov wrote: SD so Dmitry, SD if you were trying to actually help get this fixed, I presume you would SD have suggested that I just patch the code to SD rm /tmp/twiki SD and then create it? SD or what are you actually suggesting? SD Sven At my oppinion You can oblige user to create this temp-dir in his directories and use user copy of LocalSite.cfg instead system config ($TWiki::cfg{RCS}{WorkAreaDir}). hmm -- ... mpd playing: U.D.O. - Private Eye . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
So are you suggesting that I instead fill up /tmp directly with thousands of cgisess_123412 files? because the location that those files go into needs to be predictable - so that each cgi script goes to the same place. Julien Cristau wrote: On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote: so Dmitry, if you were trying to actually help get this fixed, I presume you would have suggested that I just patch the code to rm /tmp/twiki and then create it? or what are you actually suggesting? No. Don't touch/use predictable file names in /tmp. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit : On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote: so Dmitry, if you were trying to actually help get this fixed, I presume you would have suggested that I just patch the code to rm /tmp/twiki and then create it? or what are you actually suggesting? No. Don't touch/use predictable file names in /tmp. Which leads us again to something like /var/run/twiki/session/ or /var/lib/twiki/tmp/session/ or some other custom path, with some garbage collection (cronjob ?) and all the fuss ? Maybe there are best practice use of CGI::Session somewhere ? ... not to mention other uses of the other files created in /tmp/twiki at the moment... but the most critical seems to be the dir creation in the postinst. Or maybe simply not create a separate dir for session files and use plain clear /tmp for CGI::Session files ? Unless that leads to potential information leaks ? Follow-up to : http://lists.debian.org/debian-devel/2008/08/msg00340.html ? My 2 cents, -- Olivier BERGER [EMAIL PROTECTED] http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
No, I was told by Nico or Joey that web apps should not be filling up the /var filesystem with session files. this is apparently also _not_ a solution. /tmp was determined in October 2007 as the best place Dmitry E. Oboukhov wrote: On 00:17 Thu 14 Aug , Sven Dowideit wrote: SD these are _WEB_ session files. SD there are no user directories. then it must have user:group == www-data:www-data and attributes = 0700 or 0770 or 0750 and be placed to /var/???/twiki SD Dmitry E. Oboukhov wrote: SD so Dmitry, SD SD if you were trying to actually help get this fixed, I presume you would SD have suggested that I just patch the code to SD SD rm /tmp/twiki SD and then create it? SD SD or what are you actually suggesting? SD SD Sven SD SD At my oppinion You can oblige user to create this temp-dir SD in his directories and use user copy of LocalSite.cfg instead system SD config ($TWiki::cfg{RCS}{WorkAreaDir}). SD SD hmm SD SD -- SD ... mpd playing: U.D.O. - Private Eye SD SD . ''`. Dmitry E. Oboukhov SD : :’ : [EMAIL PROTECTED] SD `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 SD `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Yes, you should not share CGI::Session files, it does lead to leakage, and really odd side effects. Olivier Berger wrote: Le mercredi 13 août 2008 à 16:19 +0200, Julien Cristau a écrit : On Wed, Aug 13, 2008 at 23:24:47 +1000, Sven Dowideit wrote: so Dmitry, if you were trying to actually help get this fixed, I presume you would have suggested that I just patch the code to rm /tmp/twiki and then create it? or what are you actually suggesting? No. Don't touch/use predictable file names in /tmp. Which leads us again to something like /var/run/twiki/session/ or /var/lib/twiki/tmp/session/ or some other custom path, with some garbage collection (cronjob ?) and all the fuss ? Maybe there are best practice use of CGI::Session somewhere ? ... not to mention other uses of the other files created in /tmp/twiki at the moment... but the most critical seems to be the dir creation in the postinst. Or maybe simply not create a separate dir for session files and use plain clear /tmp for CGI::Session files ? Unless that leads to potential information leaks ? Follow-up to : http://lists.debian.org/debian-devel/2008/08/msg00340.html ? My 2 cents, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On 00:38 Thu 14 Aug , Sven Dowideit wrote: SD No, I was told by Nico or Joey that web apps should not be filling up SD the /var filesystem with session files. SD this is apparently also _not_ a solution. SD /tmp was determined in October 2007 as the best place Ok, Yoy can do it (in your postinst): twiki_session_dir=`mktemp -d /tmp/twiki.XX` chown www-data:www-data $twiki_session_dir # or chown $TWIKI_OWNER:www-data chmod 0750 $twiki_session_dir # or chmod 1770 if $TWIKI_OWNER != www-data perl -pi -e s/(TempfileDir).*/$1} = '$twiki_session_dir'; \ /etc/twiki/LocalSite.cfg attributes must be 0750 or 0770 or 0700 if owner==www-data or 1770 if owner != www-data ($TWIKI_OWNER) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov wrote: On 00:38 Thu 14 Aug , Sven Dowideit wrote: SD No, I was told by Nico or Joey that web apps should not be filling up SD the /var filesystem with session files. SD this is apparently also _not_ a solution. SD /tmp was determined in October 2007 as the best place Ok, Yoy can do it (in your postinst): twiki_session_dir=`mktemp -d /tmp/twiki.XX` chown www-data:www-data $twiki_session_dir # or chown $TWIKI_OWNER:www-data chmod 0750 $twiki_session_dir # or chmod 1770 if $TWIKI_OWNER != www-data perl -pi -e s/(TempfileDir).*/$1} = '$twiki_session_dir'; \ /etc/twiki/LocalSite.cfg attributes must be 0750 or 0770 or 0700 if owner==www-data or 1770 if owner != www-data ($TWIKI_OWNER) and then on upgrade, create another one because the user selected to overwrite the cfg, and so on - sounds like its less of a solution than to use a predictable dir, with a more appropriate attempt to make sure its safe. it worries me that you appear to be contradicting the permissions I was required to set up for #444982 - I'm not quite sure who's advice should get priority - Joey's or yours. Perhaps I should set up a google fight. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
SD On 00:38 Thu 14 Aug , Sven Dowideit wrote: SD No, I was told by Nico or Joey that web apps should not be filling up SD the /var filesystem with session files. SD SD this is apparently also _not_ a solution. SD SD /tmp was determined in October 2007 as the best place SD SD Ok, Yoy can do it (in your postinst): SD SD twiki_session_dir=`mktemp -d /tmp/twiki.XX` SD chown www-data:www-data $twiki_session_dir # or chown $TWIKI_OWNER:www-data SD chmod 0750 $twiki_session_dir # or chmod 1770 if $TWIKI_OWNER != www-data SD perl -pi -e s/(TempfileDir).*/$1} = '$twiki_session_dir'; \ SD /etc/twiki/LocalSite.cfg SD SD attributes must be 0750 or 0770 or 0700 if owner==www-data SD or 1770 if owner != www-data ($TWIKI_OWNER) SD SD and then on upgrade, create another one because the user selected to SD overwrite the cfg, and so on - sounds like its less of a solution than SD to use a predictable dir, with a more appropriate attempt to make sure SD its safe. SD it worries me that you appear to be contradicting the permissions I was SD required to set up for #444982 - I'm not quite sure who's advice should SD get priority - Joey's or yours. SD Perhaps I should set up a google fight. Full algorithm: 1. You change debian/LocalSite.cfg: s{/tmp/wiki}{#UNDEFINED_TEMP_DIR#}; 2. in postinst You do: 2.1 if grep -q #UNDEFINED_TEMP_DIR# /etc/twiki/LocalSite.cfg; then twiki_session_dir=`mktemp -d /tmp/twiki.XX` perl -pi -e \ s/(TempfileDir).*/$1} = '$twiki_session_dir';/ \ /etc/twiki/LocalSite.cfg chown $TWIKI_OWNER:www-data $twiki_session_dir else twiki_session_dir=`grep TempfileDir /etc/twiki/LocalSite.cfg \ | sed s/=[[:space:]]*'//|sed s/'.*//` fi # [1] chmod 1770 $twiki_session_dir in [1] you can insert the verification code, for example: if test -d $twiki_session_dir; then # $twiki_session_dir is directory and exists found_owner=`ls -l $twiki_session_dir|awk '{ print $3 }'` found_group=`ls -l $twiki_session_dir|awk '{ print $4 }'` if test $found_owner = $TWIKI_OWNER -a \ $found_group = www-data; then # previous install is ok (owner:group) else # unknown owner fi else # $twiki_session_dir is not directory # you can recreate it with new path fi 3. You can show errors with help of debhelper's dialogs. -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote: the best irony of this bug, is : I've implemented Joey's suggestion of 1777 O_EXCL - mostly the files in tmp are written by CGI::Session, that takes care of things. I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt to filling /var By coincidence (testing authentication through CAS servers for TWiki, and tracing what happens in TemplateLogin), I happend to run into that O_EXCL permission on passthru files (dunno what they are, btw), and notice that apparently #444982 wasn't fixed the right way it seems. See more details in newly filed #494993. Sad irony ;-) Best regards, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
how would this would be different from ? Debian Bug report logs - #468159 twiki: Redirect after Template Login failes Olivier Berger wrote: On Wed, Aug 13, 2008 at 10:12:29PM +1000, Sven Dowideit wrote: the best irony of this bug, is : I've implemented Joey's suggestion of 1777 O_EXCL - mostly the files in tmp are written by CGI::Session, that takes care of things. I also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt to filling /var By coincidence (testing authentication through CAS servers for TWiki, and tracing what happens in TemplateLogin), I happend to run into that O_EXCL permission on passthru files (dunno what they are, btw), and notice that apparently #444982 wasn't fixed the right way it seems. See more details in newly filed #494993. Sad irony ;-) Best regards, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guys, I'd need a second opinion on this report please. My recollection was that we squashed this in Bug#444982 If not, is there any chance that automated tool users are at least required to help out with a bit more information that the alarmist text below? I will have to assume that this report is indeed incorrect unless I hear otherwise. Sven Dmitry E. Oboukhov wrote: Package: twiki Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite somesystem file. I set Severity into grave for this bug. The tableof discovered problems is below. +--+-+-- |package | script | file for attack +--+-+-- | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) | | | | nws-2.13 | postinst | /tmp/nws.debug (cp) | | | | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) | | postinst | /tmp/ppp-errors (rm -f, pipe) | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) | | | | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) +--+-+-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiiOYoACgkQPAwzu0QrW+nHKACgt+Yd/wMsLK+wvBAgA1qEww4g 1hoAnRexz3Up2jQeJzhamJ0k0Nh4sf2H =rxz+ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Package: twiki Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system file. I set Severity into grave for this bug. The table of discovered problems is below. +--+-+-- |package | script | file for attack +--+-+-- | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) | | | | nws-2.13 | postinst | /tmp/nws.debug (cp) | | | | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) | | postinst | /tmp/ppp-errors (rm -f, pipe) | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) | | | | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) +--+-+-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
ah, good find. Ardo and Christian, If I make an update to the 4.1.2 package, fixing this, and a couple of other issues that I've been told about in the next 48 days, would one of you be willing to upload it for me so it gets into Lenny? Sven Dmitry E. Oboukhov wrote: Package: twiki Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite somesystem file. I set Severity into grave for this bug. The tableof discovered problems is below. +--+-+-- |package | script | file for attack +--+-+-- | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) | | | | nws-2.13 | postinst | /tmp/nws.debug (cp) | | | | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) | | postinst | /tmp/ppp-errors (rm -f, pipe) | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) | | | | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) +--+-+-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#494648: The possibility of attack with the help of symlinks in some Debian packages
Quoting Sven Dowideit ([EMAIL PROTECTED]): ah, good find. Ardo and Christian, If I make an update to the 4.1.2 package, fixing this, and a couple of other issues that I've been told about in the next 48 days, would one of you be willing to upload it for me so it gets into Lenny? For the couple of other issues, I suggest you talk with the release team to check with them if they fit the freeze exceptions guidelines. signature.asc Description: Digital signature