Red Hat Bugzilla – Bug 11724
tempfile has easily guessed name and follows symlinks
Last modified: 2008-05-01 11:37:55 EDT
The diskcheck.pl script is located in /etc/cron.hourly and is executed
every hour by cron to check if any disks/partitions are 90%+ filled and if
so an e-mail is to root (as specified in /etc/diskcheck.conf by default).
I find it useful, however I have come across a configuration problem that
leaves a rather annoying security problem. Whenever the script is run, it
creates a file named /tmp/diskusagealert.txt.$$ This is due to the line in
# Location and name for a temp file
$tempfile = '/tmp/diskusagealert.txt';
and the script itself adds the process number to the end of the file name.
Using a program like temp-watch a normal user can easily guess what the
file will be named and create a symlink to an existing or non-existing file
and overwrite or create files anywhere on any mounted drive because the
program does not check to see if the file exists or not. Creating only 75
symlinks I was able to get diskcheck to overwrite /etc/shadow when it was
executed by cron, which is obviously a bad thing.
The script itself writes the temp fiel which contains an e-mail to the
user specified in /etc/diskcheck.conf informing him/her that there are/is
partition(s) over 90% full, and if there are really any it sends the
e-mail. Because it writes the e-mail whether or not there are near
capacity drives it can be exploited under any circumstances with regards to
drives being filled or not. When a system is busy (i.e. high work load or
many users on) it is much more trivial to exploit.
There are a couple ways to deal with this:
1) Change the directory name in the script to use something like
/var/spool/cron instead of /tmp to create the temp file.
2) Use a less guessable name and check for the existence of files befre
creating new one.
3) Modify the script to only write the temp file if the disks are filling
AND use one of the above two methods to safely create the file.
Thanks for the report. I have built it and it now uses /var/spool/cron by
default in the conf file. The latest package shoudl show up in rawhide the next
time it's updated.
An errata will be released today for Powertools 6.x. For some reason it was
fixed for Powertools 7, but I forgot to release an errata for 6.x.