Re: [PATCH] install-sh: avoid (low risk) race in /tmp

2018-03-11 Thread Mathieu Lirzin 
Hello,

Sorry for the long delay.

Pavel Raiskup  writes:

> Ensure that nobody can cross privilege boundaries by pre-creating
> symlink on '$tmpdir' path.
>
> Just testing 'mkdir -p' by creating '/tmp/ins$RANDOM-$$/d' is not
> safe because '/tmp' directory is usually world-writeable and
> '/tmp/ins$RANDOM-$$' content could be pretty easily guessed by
> attacker (at least for shells where $RANDOM is not supported).
> So, as the first step, create the '/tmp/ins$RANDOM-$$' without -p.
> This step would fail early if somebody wanted catch us.
>
> Note that systems that implement (and have enabled)
> fs.protected_symlinks kernel feature are not affected even without
> this commit.
>
> References:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760455
> https://bugzilla.redhat.com/show_bug.cgi?id=1140725
>
> * lib/install-sh: Implement safer 'mkdir -p' test by running
> '$mkdirprog $mkdir_mode "$tmpdir"' first.
> (scriptversion): Bump.
> ---
>  lib/install-sh | 25 +
>  1 file changed, 17 insertions(+), 8 deletions(-)

Applied in commit 968bf9f66e3966d1975295b97539876518ebd2a0.

Thank you for the patch.

-- 
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37

Re: [PATCH] install-sh: avoid (low risk) race in /tmp

2018-02-27 Thread Mathieu Lirzin 
Hello thomas,

Thomas Deutschmann  writes:

> Pavel Raiskup submitted a patch to avoid a (low risk) race
> in /tmp in April 2015 [1] which still isn't merged.
>
> Was there a reason or was it just forgotten? Maybe we can
> add it now?

Yes it has just been forgotten, if the patch is safe then yes we can
apply it for 1.16.1.

> It is currently present in Red Hat, Debian and Gentoo 
> (haven't checked more distributions).
>
> See also:
> =
> [1] https://lists.gnu.org/archive/html/automake-patches/2015-04/msg1.html

I will take a closer look in the following days.

Thanks for reminding us.

-- 
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37

Re: [PATCH] install-sh: avoid (low risk) race in /tmp

2018-02-27 Thread Thomas Deutschmann 
Hi,

Pavel Raiskup submitted a patch to avoid a (low risk) race
in /tmp in April 2015 [1] which still isn't merged.

Was there a reason or was it just forgotten? Maybe we can
add it now?

It is currently present in Red Hat, Debian and Gentoo 
(haven't checked more distributions).


See also:
=
[1] https://lists.gnu.org/archive/html/automake-patches/2015-04/msg1.html

-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5