Re: [PATCH] install-sh: avoid (low risk) race in /tmp
Hello, Sorry for the long delay. Pavel Raiskupwrites: > Ensure that nobody can cross privilege boundaries by pre-creating > symlink on '$tmpdir' path. > > Just testing 'mkdir -p' by creating '/tmp/ins$RANDOM-$$/d' is not > safe because '/tmp' directory is usually world-writeable and > '/tmp/ins$RANDOM-$$' content could be pretty easily guessed by > attacker (at least for shells where $RANDOM is not supported). > So, as the first step, create the '/tmp/ins$RANDOM-$$' without -p. > This step would fail early if somebody wanted catch us. > > Note that systems that implement (and have enabled) > fs.protected_symlinks kernel feature are not affected even without > this commit. > > References: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760455 > https://bugzilla.redhat.com/show_bug.cgi?id=1140725 > > * lib/install-sh: Implement safer 'mkdir -p' test by running > '$mkdirprog $mkdir_mode "$tmpdir"' first. > (scriptversion): Bump. > --- > lib/install-sh | 25 + > 1 file changed, 17 insertions(+), 8 deletions(-) Applied in commit 968bf9f66e3966d1975295b97539876518ebd2a0. Thank you for the patch. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
Re: [PATCH] install-sh: avoid (low risk) race in /tmp
Hello thomas, Thomas Deutschmannwrites: > Pavel Raiskup submitted a patch to avoid a (low risk) race > in /tmp in April 2015 [1] which still isn't merged. > > Was there a reason or was it just forgotten? Maybe we can > add it now? Yes it has just been forgotten, if the patch is safe then yes we can apply it for 1.16.1. > It is currently present in Red Hat, Debian and Gentoo > (haven't checked more distributions). > > See also: > = > [1] https://lists.gnu.org/archive/html/automake-patches/2015-04/msg1.html I will take a closer look in the following days. Thanks for reminding us. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
Re: [PATCH] install-sh: avoid (low risk) race in /tmp
Hi, Pavel Raiskup submitted a patch to avoid a (low risk) race in /tmp in April 2015 [1] which still isn't merged. Was there a reason or was it just forgotten? Maybe we can add it now? It is currently present in Red Hat, Debian and Gentoo (haven't checked more distributions). See also: = [1] https://lists.gnu.org/archive/html/automake-patches/2015-04/msg1.html -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5