Bug 11724 - tempfile has easily guessed name and follows symlinks
Summary: tempfile has easily guessed name and follows symlinks
Alias: None
Product: Red Hat Powertools
Classification: Retired
Component: diskcheck   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tim Powers
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-05-29 00:53 UTC by SB
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-04 16:35:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2000:122 normal SHIPPED_LIVE : race condition exists in diskcheck 2000-12-01 05:00:00 UTC

Description SB 2000-05-29 00:53:14 UTC
The diskcheck.pl script is located in /etc/cron.hourly and is executed
every hour by cron to check if any disks/partitions are 90%+ filled and if
so an e-mail is to root (as specified in /etc/diskcheck.conf by default).
I find it useful, however I have come across a configuration problem that
leaves a rather annoying security problem.  Whenever the script is run, it
creates a file named /tmp/diskusagealert.txt.$$  This is due to the line in

# Location and name for a temp file
$tempfile = '/tmp/diskusagealert.txt';

and the script itself adds the process number to the end of the file name.
Using a program like temp-watch a normal user can easily guess what the
file will be named and create a symlink to an existing or non-existing file
and overwrite or create files anywhere on any mounted drive because the
program does not check to see if the file exists or not.  Creating only 75
symlinks I was able to get diskcheck to overwrite /etc/shadow when it was
executed by cron, which is obviously a bad thing.
   The script itself writes the temp fiel which contains an e-mail to the
user specified in /etc/diskcheck.conf informing him/her that there are/is
partition(s) over 90% full, and if there are really any it sends the
e-mail.  Because it writes the e-mail whether or not there are near
capacity drives it can be exploited under any circumstances with regards to
drives being filled or not.  When a system is busy (i.e. high work load or
many users on) it is much more trivial to exploit.
   There are a couple ways to deal with this:
1) Change the directory name in the script to use something like
/var/spool/cron instead of /tmp to create the temp file.
2) Use a less guessable name and check for the existence of files befre
creating new one.
3) Modify the script to only write the temp file if the disks are filling
AND use one of the above two methods to safely create the file.

-Stan Bubrouski

Comment 1 Tim Powers 2000-06-08 15:42:23 UTC
Thanks for the report. I have built it and it now uses /var/spool/cron by
default in the conf file. The latest package shoudl show up in rawhide the next
time it's updated.


Comment 2 Tim Powers 2000-12-04 16:34:16 UTC
An errata will be released today for Powertools 6.x. For some reason it was
fixed for Powertools 7, but I forgot to release an errata for 6.x.


Note You need to log in before you can comment on or make changes to this bug.