Re: CVS griph: fix tempfile vulnerabilities in FvwmCommand (bug

2006-07-12 Thread Dominik Vogt 
On Wed, Jul 12, 2006 at 01:28:45AM +0200, Viktor Griph wrote:
 On Tue, 11 Jul 2006, Dominik Vogt wrote:
 
 On Tue, Jul 11, 2006 at 10:16:09AM -0500, fvwm-workers wrote:
 CVSROOT:/home/cvs/fvwm
 Module name:fvwm
 Changes by: griph   06/07/11 10:16:09
 
 Modified files:
 .  : ChangeLog NEWS configure.ac
 modules: ChangeLog
 modules/FvwmCommand: FvwmCommand.1.in FvwmCommand.c
  FvwmCommandS.c fifos.c
 
 Log message:
 fix tempfile vulnerabilities in FvwmCommand (bug #2791).
 
 Can you explain what you actually did, please?
 
 
 Sure.
 First: When deciding on the default path the three files that are to be 
 used are tested with lstat (or stat if lstat is unavalable) to have the 
 same owner as the process owner, not have nore than one hard link and not 
 be a directory nor a symbolic link. If any of the tests fail the path will 
 be redirected to $FVWM_USERDIR instead of /var/tmp to avoid attacks 
 blocking the module. If some tests are impossible to do they are 
 concidered OK.

Actually, since we are creating the file with O_CREAT | O_EXCL,
there is no chance of a symlink attack (because symlinks exist
even if they do not point to anything).

 Second: All open() calls use O_NOFOLLOW if that flag is defined.

Good, but I don't want new ifdefs in the code.  Instead, please
add this to the end of the AH_VERBATIM macro
_ZEND_EXPLICIT_DEFINITIONS in configure.ac, beginning at line
1195:

  #ifndef O_NOFOLLOW
  #define O_NOFOLLOW 0
  #endif

This snippet is added to the end of config.h.  Afterwards you can
use O_NOFOLLOW without ifdefs.  As a rule of thumb, never put any
ifdefs in a .c file (or better: anywhere).

 I believe this should be enough,

We really shouldn't be using public tempdirs at all.  I wasn't
aware that we are using /var/tmp.

 but if one are really paranoid one could 
 add checks of the opened files in FvwmCommand.c to verify that they are 
 fifos with correect permissions.

Ah, but it's too late if the file is open already.

Ciao

Dominik ^_^  ^_^

 --
Dominik Vogt, [EMAIL PROTECTED]


signature.asc
Description: Digital signature

Re: CVS griph: fix tempfile vulnerabilities in FvwmCommand (bug

2006-07-12 Thread Dominik Vogt 
On Wed, Jul 12, 2006 at 09:50:01AM +0200, Dominik Vogt wrote:
 On Wed, Jul 12, 2006 at 01:28:45AM +0200, Viktor Griph wrote:
 Good, but I don't want new ifdefs in the code.  Instead, please
 add this to the end of the AH_VERBATIM macro
 _ZEND_EXPLICIT_DEFINITIONS in configure.ac, beginning at line
 1195:
 
   #ifndef O_NOFOLLOW
   #define O_NOFOLLOW 0
   #endif
 
 This snippet is added to the end of config.h.

I' have done that part myself because I had to include fcntl.h
too.  The ifdefs in the code still have to be removed.

 As a rule of thumb, never put any
 ifdefs in a .c file (or better: anywhere).

I.e. fetuere tests belong into configure.ac.

Ciao

Dominik ^_^  ^_^

 --
Dominik Vogt, [EMAIL PROTECTED]


signature.asc
Description: Digital signature

Re: CVS griph: fix tempfile vulnerabilities in FvwmCommand (bug

2006-07-12 Thread Jacob Bachmeyer 

Dominik Vogt wrote:

On Wed, Jul 12, 2006 at 01:28:45AM +0200, Viktor Griph wrote:
  
but if one are really paranoid one could 
add checks of the opened files in FvwmCommand.c to verify that they are 
fifos with correect permissions.



Ah, but it's too late if the file is open already.
  
Is there some reason that fstat({2,P}) isn't usable? It takes an open 
file descriptor.

CVS griph: fix tempfile vulnerabilities in FvwmCommand (bug #2791).

2006-07-11 Thread FVWM CVS 
CVSROOT:/home/cvs/fvwm
Module name:fvwm
Changes by: griph   06/07/11 10:16:09

Modified files:
.  : ChangeLog NEWS configure.ac 
modules: ChangeLog 
modules/FvwmCommand: FvwmCommand.1.in FvwmCommand.c 
 FvwmCommandS.c fifos.c 

Log message:
fix tempfile vulnerabilities in FvwmCommand (bug #2791).

Re: CVS griph: fix tempfile vulnerabilities in FvwmCommand (bug #2791).

2006-07-11 Thread Dominik Vogt 
On Tue, Jul 11, 2006 at 10:16:09AM -0500, fvwm-workers wrote:
 CVSROOT:  /home/cvs/fvwm
 Module name:  fvwm
 Changes by:   griph   06/07/11 10:16:09
 
 Modified files:
   .  : ChangeLog NEWS configure.ac 
   modules: ChangeLog 
   modules/FvwmCommand: FvwmCommand.1.in FvwmCommand.c 
FvwmCommandS.c fifos.c 
 
 Log message:
 fix tempfile vulnerabilities in FvwmCommand (bug #2791).

Can you explain what you actually did, please?

Ciao

Dominik ^_^  ^_^

 --
Dominik Vogt, [EMAIL PROTECTED]


signature.asc
Description: Digital signature

Re: CVS griph: fix tempfile vulnerabilities in FvwmCommand (bug

2006-07-11 Thread Viktor Griph 

On Tue, 11 Jul 2006, Dominik Vogt wrote:


On Tue, Jul 11, 2006 at 10:16:09AM -0500, fvwm-workers wrote:

CVSROOT:/home/cvs/fvwm
Module name:fvwm
Changes by: griph   06/07/11 10:16:09

Modified files:
.  : ChangeLog NEWS configure.ac
modules: ChangeLog
modules/FvwmCommand: FvwmCommand.1.in FvwmCommand.c
 FvwmCommandS.c fifos.c

Log message:
fix tempfile vulnerabilities in FvwmCommand (bug #2791).


Can you explain what you actually did, please?



Sure.
First: When deciding on the default path the three files that are to be 
used are tested with lstat (or stat if lstat is unavalable) to have the 
same owner as the process owner, not have nore than one hard link and not 
be a directory nor a symbolic link. If any of the tests fail the path will 
be redirected to $FVWM_USERDIR instead of /var/tmp to avoid attacks 
blocking the module. If some tests are impossible to do they are 
concidered OK.

Second: All open() calls use O_NOFOLLOW if that flag is defined.

I believe this should be ennough, but if one are really paranoid one could 
add checks of the opened files in FvwmCommand.c to verify that they are 
fifos with correect permissions.


/Viktor