On Sat, Aug 16, 2003 at 08:33:01PM -0500, John Hasler wrote: > Matt Zimmerman writes: > > Unfortunately, stable still has 1.1.1-13.1, which means it still contains > > this bug. If there is a genuine security exposure, it should be fixed > > for stable as well. > > The /var/tmp/logcheck directory is created by dpkg during installation and > so can be spoofed by a local attacker who simply creates it first. The > files in it are created by structures such as '> $TMPDIR/check.$$', relying > on > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ > if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f > $TMPDIR/checkreport.$$ ]; then > echo "Log files exist in $TMPDIR directory that cannot be removed. > This > may be an attempt to spoof the log checker." \ > | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN > exit 1 > fi > > for security. It seems to me that there is a race condition here that > might let a clever attacker who has already spoofed the directory at > install time spoof files in TMPDIR.
I didn't think that dpkg actually allowed users to spoof subdirectories this way, even in a world-writable directory, but I tried it and it works: mizar:[/usr/share/doc] sudo mkdir hello Password: mizar:[/usr/share/doc] sudo chown mdz hello mizar:[/usr/share/doc] ls -ld hello drwxr-xr-x 2 mdz root 4096 2003-08-16 22:14 hello mizar:[/usr/share/doc] sudo apt-get install hello Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: hello 0 packages upgraded, 1 newly installed, 0 to remove and 4 not upgraded. Need to get 47.9kB of archives. After unpacking 223kB of additional disk space will be used. Get:1 http://debian unstable/main hello 2.1.1-1 [47.9kB] Fetched 47.9kB in 0s (717kB/s) Reading changelogs... Done Selecting previously deselected package hello. (Reading database ... 100008 files and directories currently installed.) Unpacking hello (from .../hello_2.1.1-1_i386.deb) ... Setting up hello (2.1.1-1) ... mizar:[/usr/share/doc] ls -ld hello drwxr-xr-x 2 mdz root 4096 2003-08-16 22:14 hello mizar:[/usr/share/doc] ls -l hello total 20 -rw-r--r-- 1 root root 2066 2002-06-08 14:12 NEWS -rw-r--r-- 1 root root 2586 2002-10-12 15:07 changelog.Debian.gz -rw-r--r-- 1 root root 5058 2002-06-09 01:41 changelog.gz -rw-r--r-- 1 root root 2429 2002-10-12 13:40 copyright Even though the directory was created outside the packaging system, its existing permissions and ownership are preserved. I don't think this should happen. So I guess we need to fix this for woody. Steve, are you willing to prepare an update to fix this bug? The fix used in 1.1.1-13.2 seems to have been to use mktemp -d to create a directory at runtime instead, and that seems reasonable to me. -- - mdz
