Kurt Seifried (kseifried) reports: While looking at various components for Storage I ran across some tmp file issues in ctdb: ======================================== ./ctdb-1.0.114.5/tcp/tcp_connect.c: const char *lock_path = "/tmp/.ctdb_socket_lock"; const char *lock_path = "/tmp/.ctdb_socket_lock"; struct flock lock; int one = 1; int sock_size; /* in order to ensure that we don't get two nodes with the same adddress, we must make the bind() and listen() calls atomic. The SO_REUSEADDR setsockopt only prevents double binds if the first socket is in LISTEN state */ lock_fd = open(lock_path, O_RDWR|O_CREAT, 0666); if (lock_fd == -1) { DEBUG(DEBUG_CRIT,("Unable to open %s\n", lock_path)); return -1; } ======================================== ./ctdb-1.0.114.5/server/eventscript.c: " >/tmp/ctdb.event.%s.%d", tbuf, getpid()); sprintf(buf, "{ pstree -p; cat /proc/locks; ls -li /var/ctdb/ /var/ctdb/persistent; }" " >/tmp/ctdb.event.%s.%d", tbuf, getpid()); system(buf); ======================================== ./ctdb-1.0.114.5/tools/ctdb_diagnostics:ERRORS="/tmp/diag_err.$$" ./ctdb-1.0.114.5/tools/ctdb_diagnostics: tmpf=/tmp/`basename $f`.node$i ./ctdb-1.0.114.5/tools/ctdb_diagnostics: tmpf=/tmp/`basename $f`.node$i shell script, easy to exploit. ======================================== ./ctdb-1.0.114.5/config/gdb_backtrace:BATCHFILE_PRE=/tmp/gdb_backtrace_pre.$$ ./ctdb-1.0.114.5/config/gdb_backtrace:BATCHFILE_MAIN=/tmp/gdb_backtrace_main.$$ shell script, easy to exploit. ======================================== ./ctdb-1.0.114.5/config/ctdb.sysconfig:# defaults to /tmp/ctdb.socket ./ctdb-1.0.114.5/config/ctdb.sysconfig:# CTDB_SOCKET=/tmp/ctdb.socket This appears to be used unsafely later on ======================================== ./ctdb-1.0.114.5/include/ctdb_private.h:#define CTDB_PATH "/tmp/ctdb.socket" This appears to be used unsafely later on ======================================== It varies a bit in newer versions but the core problems are present.
Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=10104
(In reply to Kurt Seifried from comment #0) > ./ctdb-1.0.114.5/tcp/tcp_connect.c: > const char *lock_path = "/tmp/.ctdb_socket_lock"; Fixed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=b9b9f6738fba5c32e87cb9c36b358355b444fb9b > ./ctdb-1.0.114.5/server/eventscript.c: > sprintf(buf, "{ pstree -p; cat /proc/locks; ls -li /var/ctdb/ /var/ctdb/persistent; }" > " >/tmp/ctdb.event.%s.%d", tbuf, getpid()); > system(buf); Removed upstream and replaced by an external script: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=6e68797af67bee36f2bad045f94806e7e98f27e9 > ======================================== > ./ctdb-1.0.114.5/tools/ctdb_diagnostics: > ERRORS="/tmp/diag_err.$$" > tmpf=/tmp/`basename $f`.node$i > tmpf=/tmp/`basename $f`.node$i Fixed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=406e1cb1fdd17ddd239774d0228e3657b73ae68f > ./ctdb-1.0.114.5/config/gdb_backtrace: > BATCHFILE_PRE=/tmp/gdb_backtrace_pre.$$ > BATCHFILE_MAIN=/tmp/gdb_backtrace_main.$$ Removed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=4b914d7e217202f3d11a8e95f9f74bc17869475b This only exists in ctdb srpm in Red Hat Enterprise Linux 6, but the script is not shipped as part of ctdb binary packages. > ./ctdb-1.0.114.5/config/ctdb.sysconfig: > # defaults to /tmp/ctdb.socket > # CTDB_SOCKET=/tmp/ctdb.socket > ./ctdb-1.0.114.5/include/ctdb_private.h: > #define CTDB_PATH "/tmp/ctdb.socket" Fixed upstream in: https://git.samba.org/?p=ctdb.git;a=commitdiff;h=dc67a4e24af9d07aead2a1710eeaf5d6cc409201
Created ctdb tracking bugs for this issue: Affects: fedora-all [bug 1102900]
ctdb-2.5.4-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.