On Thu, Oct 15, 2009 at 06:01:44PM -0000, Daniel Nurmi wrote: > We've analyzed the points in the source tree that are referenced, and > have found that none of them are actually exercised in a Karmic default > eucalyptus running system. More detail on each follows:
Excellent, the bulk of these can be ignored then. :) > These two are never used for Karmic by default (which uses the > handlers_kvm.c), unless a user installs Xen on their node controllers. The > first can be entirely removed (is just there for debugging). The second is > actually, I believe, as unpredictable or more so than a file created with > mktemp(). Eucalyptus instanceIds are random unique ids of 8 hex characters > ("i-ABCDEFGH" where A-H are hex values). > ./tools/detach.pl:system("cp $virshxmlfile /tmp/wtf"); Yeah, this line should just be removed. > ./node/handlers_xen.c: snprintf(filename, 1024, "/tmp/consoleOutput.%s", instanceId); Would it make sense to use some other location instead of /tmp? While it's not predictable, the file isn't handled safely on creation. At the least, I would recommend adding O_EXCL to the flags. This may require an unlink() call to blow away old files, but that's symlink-attack safe. With the O_EXCL, worst case is a DoS on the console output. Speaking of that code, I noticed this on the side that waits for the file to appear: while(count < 10000 && stat(filename, &statbuf) < 0) {count++;} fd = open(filename, O_RDONLY); That loop is going to go by _very_ quickly. e.g. on my system, that takes 0.017 seconds to execute. I would recommend (not for security, but for possible race bugs) that you use nanosleep() and time() for choosing an actual timeout to wait with. :) Thanks for checking! -Kees -- Kees Cook Ubuntu Security Team -- uses unsafe /tmp files https://bugs.launchpad.net/bugs/445105 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs