Hi, I noticed today that ebiptablesWriteToTempFile() creates a temporary file in /tmp that is later executed. It uses mkstemp() and therefore is safe from symlinks attacks, however, there is not really any reason that I can see why it is using /tmp instead of somewhere like /var/lib/libvirt. If libvirtd is confined under a MAC which allows execution of /tmp/virtd* and a vulnerability is found in libvirtd, the /tmp path leaves an opportunity for a local non-root attacker to write a script in /tmp and then subvert libvirt to execute that script. Putting it in /var/lib/libvirt (or somewhere without world-write permissions) would prevent this. I do not consider this a security vulnerability, but rather defensive programming. Attached is a patch that uses LOCAL_STATE_DIR "/lib/libvirt/virtdXXXXXX". Feel free to move it somewhere else if desired. Patch is against head. Thanks -- Jamie Strandboge | http://www.canonical.com
diff -Naurp libvirt.orig/src/nwfilter/nwfilter_ebiptables_driver.c libvirt/src/nwfilter/nwfilter_ebiptables_driver.c
--- libvirt.orig/src/nwfilter/nwfilter_ebiptables_driver.c 2010-06-16 13:41:10.000000000 -0500
+++ libvirt/src/nwfilter/nwfilter_ebiptables_driver.c 2010-06-16 13:42:29.000000000 -0500
@@ -2183,7 +2183,7 @@ ebiptablesDisplayRuleInstance(virConnect
*/
static char *
ebiptablesWriteToTempFile(const char *string) {
- char filename[] = "/tmp/virtdXXXXXX";
+ char filename[] = LOCAL_STATE_DIR "/lib/libvirt/virtdXXXXXX";
int len;
char *filnam;
virBuffer buf = VIR_BUFFER_INITIALIZER;
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list