On 06/16/2010 01:11 PM, Stefan Berger wrote: > On 06/16/2010 02:54 PM, Jamie Strandboge wrote: >> Hi, >> >> I noticed today that ebiptablesWriteToTempFile() creates a temporary >> file in /tmp that is later executed. It uses mkstemp() and therefore is >> safe from symlinks attacks, however, there is not really any reason that >> I can see why it is using /tmp instead of somewhere >> like /var/lib/libvirt. If libvirtd is confined under a MAC which allows >> execution of /tmp/virtd* and a vulnerability is found in libvirtd, >> the /tmp path leaves an opportunity for a local non-root attacker to >> write a script in /tmp and then subvert libvirt to execute that script. >> > I don't mind the move of the temporary file, but I'd like to understand > how would someone subvert libvirt to run an arbitrary script? I'm with Stefan - the whole point of mkstemp is that the created file has 0600 permissions, and /tmp is restricted-deletion, so no other user can either overwrite the file contents or unlink it and replace it with an alternate file. Then again, gnulib documents that glibc 2.0.7 or older would create a file with group/other permissions if the umask wasn't set prior to the mkstemp() call, and gnulib's mkstemp() does not work around this issue; but that's a rather old version of glibc to be worrying about. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list