Bug#574832: [security] possible symlink attack against /tmp/ddclient.cache
On Sun, Mar 21, 2010 at 09:45:02PM +0100, Nico Golde wrote: Also, I'm watching syslog quite a lot and I noticed this line at boot: | Mar 21 19:56:39 r2 ddclient[3135]: WARNING: file /tmp/ddclient.cache, line 3: Invalid Value for keyword 'ip' = '' Hmm ok, this is strange. When I wrote this I tested it and it was using /var/cache and I had a *quick* look at the code that indicated the same. Maybe the ddclient maintainer can clarify the situation, I lack the time to digg deeper. AFAIK it uses /var/cache/ddclient.cache, never even thought it was using /tmp Guess I'll have to investigate that. Greetings, Torsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574832: [security] possible symlink attack against /tmp/ddclient.cache
Package: ddclient Version: 3.8.0-10 Severity: grave Tags: security Justification: user security hole Hi, A local user could perform a symlink attack against /tmp/ddclient.cache file. I see two solutions for this problem: 1) use /var/run/ddclient.cache as the cache file (only root has access here) 2) use `mktemp' to create a non-predictable temporary file. The first solution seem to be the best as it avoids the complexity of working with non-predictable temporary files (create, find, update, close). Thanks -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ddclient depends on: ii debconf [debconf-2.0]1.5.28 Debian configuration management sy ii initscripts 2.87dsf-8.1 scripts for initializing and shutt ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip ii perl [perl5] 5.10.1-11 Larry Wall's Practical Extraction Versions of packages ddclient recommends: ii libio-socket-ssl-perl 1.31-1 Perl module implementing object or ddclient suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574832: [security] possible symlink attack against /tmp/ddclient.cache
Hey, * Teodor mteo...@gmail.com [2010-03-21 16:49]: A local user could perform a symlink attack against /tmp/ddclient.cache file. I see two solutions for this problem: 1) use /var/run/ddclient.cache as the cache file (only root has access here) 2) use `mktemp' to create a non-predictable temporary file. The first solution seem to be the best as it avoids the complexity of working with non-predictable temporary files (create, find, update, close). From what I see it is using /var/cache/ddclient/ddclient.cache. Can you elaborate why you think it's using /tmp/? Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpSXcGWgNI1r.pgp Description: PGP signature
Bug#574832: [security] possible symlink attack against /tmp/ddclient.cache
Hi, On Sun, Mar 21, 2010 at 6:43 PM, Nico Golde n...@debian.org wrote: From what I see it is using /var/cache/ddclient/ddclient.cache. Can you elaborate why you think it's using /tmp/? It doesn't apper to be using that directory. This is what I have on my laptop: | d...@r2:~$ ls -l /tmp/ddclient.cache /var/cache/ddclient/ | -rw--- 1 root root 262 2010-03-21 19:56 /tmp/ddclient.cache | | /var/cache/ddclient/: | total 0 Also, I'm watching syslog quite a lot and I noticed this line at boot: | Mar 21 19:56:39 r2 ddclient[3135]: WARNING: file /tmp/ddclient.cache, line 3: Invalid Value for keyword 'ip' = '' Thanks -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#574832: [security] possible symlink attack against /tmp/ddclient.cache
Hey, * Teodor MICU mteo...@gmail.com [2010-03-21 19:23]: On Sun, Mar 21, 2010 at 6:43 PM, Nico Golde n...@debian.org wrote: From what I see it is using /var/cache/ddclient/ddclient.cache. Can you elaborate why you think it's using /tmp/? It doesn't apper to be using that directory. This is what I have on my laptop: | d...@r2:~$ ls -l /tmp/ddclient.cache /var/cache/ddclient/ | -rw--- 1 root root 262 2010-03-21 19:56 /tmp/ddclient.cache | | /var/cache/ddclient/: | total 0 Also, I'm watching syslog quite a lot and I noticed this line at boot: | Mar 21 19:56:39 r2 ddclient[3135]: WARNING: file /tmp/ddclient.cache, line 3: Invalid Value for keyword 'ip' = '' Hmm ok, this is strange. When I wrote this I tested it and it was using /var/cache and I had a *quick* look at the code that indicated the same. Maybe the ddclient maintainer can clarify the situation, I lack the time to digg deeper. Cheers nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpowvuVUqbDi.pgp Description: PGP signature
