Re: SECURITY: psql allows symlink games in /tmp
От | Bruce Momjian |
---|---|
Тема | Re: SECURITY: psql allows symlink games in /tmp |
Дата | |
Msg-id | 200011250619.BAA09045@candle.pha.pa.us обсуждение исходный текст |
Ответ на | SECURITY: psql allows symlink games in /tmp (Andrew Bartlett <abartlet@pcug.org.au>) |
Список | pgsql-hackers |
Thanks for the pointer. Here is a diff to fix the problem. How does it look to you? > This code in psql/command.c allows *any* system user to place a > predictably named symbolic link in /tmp and use it to alter/destroy > files owned by the user running psql. (tested - postgresql 7.0.2). > > All the information a potential attacker would need are available via a > simple 'ps'. > > It might (untested) also allow an another user to exploit the race > between the closing of the file by the editor and the re-reading of its > contents to execute arbitrary SQL commands. > > IMHO these files, if they must be created in /tmp should at least be > created O_EXCL, but there are still editor vulnerabilities with opening > any files in a world writeable directory (see recent joe Vulnerability: > http://lwn.net/2000/1123/a/sec-joe.php3) > > My system is RedHat 6.2 on an i686, with Postgresql 7.0.2 but the same > code currently exists in CVS (or at least CVS-web). > > I am not subscribed to this list, so please CC me for replies. (Also > tell me if there is a more appropriate forum for this, but > www.postgresql.org doesn't have a listed security issue address). > -- > Andrew Bartlett > abartlet@pcug.org.au > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 ? config.log ? config.cache ? config.status ? GNUmakefile ? src/Makefile.custom ? src/GNUmakefile ? src/Makefile.global ? src/log ? src/crtags ? src/backend/postgres ? src/backend/catalog/global.description ? src/backend/catalog/global.bki ? src/backend/catalog/template1.bki ? src/backend/catalog/template1.description ? src/backend/port/Makefile ? src/bin/initdb/initdb ? src/bin/initlocation/initlocation ? src/bin/ipcclean/ipcclean ? src/bin/pg_config/pg_config ? src/bin/pg_ctl/pg_ctl ? src/bin/pg_dump/pg_dump ? src/bin/pg_dump/pg_restore ? src/bin/pg_dump/pg_dumpall ? src/bin/pg_id/pg_id ? src/bin/pg_passwd/pg_passwd ? src/bin/pgaccess/pgaccess ? src/bin/pgtclsh/Makefile.tkdefs ? src/bin/pgtclsh/Makefile.tcldefs ? src/bin/pgtclsh/pgtclsh ? src/bin/pgtclsh/pgtksh ? src/bin/psql/psql ? src/bin/scripts/createlang ? src/include/config.h ? src/include/stamp-h ? src/interfaces/ecpg/lib/libecpg.so.3.2.0 ? src/interfaces/ecpg/preproc/ecpg ? src/interfaces/libpgeasy/libpgeasy.so.2.1 ? src/interfaces/libpgtcl/libpgtcl.so.2.1 ? src/interfaces/libpq/libpq.so.2.1 ? src/interfaces/perl5/blib ? src/interfaces/perl5/Makefile ? src/interfaces/perl5/pm_to_blib ? src/interfaces/perl5/Pg.c ? src/interfaces/perl5/Pg.bs ? src/pl/plperl/blib ? src/pl/plperl/Makefile ? src/pl/plperl/pm_to_blib ? src/pl/plperl/SPI.c ? src/pl/plperl/plperl.bs ? src/pl/plpgsql/src/libplpgsql.so.1.0 ? src/pl/tcl/Makefile.tcldefs Index: src/bin/psql/command.c =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/src/bin/psql/command.c,v retrieving revision 1.38 diff -c -r1.38 command.c *** src/bin/psql/command.c 2000/11/13 23:37:53 1.38 --- src/bin/psql/command.c 2000/11/25 06:18:33 *************** *** 13,19 **** #include <ctype.h> #ifndef WIN32 #include <sys/types.h> /* for umask() */ ! #include <sys/stat.h> /* for umask(), stat() */ #include <unistd.h> /* for geteuid(), getpid(), stat() */ #else #include <win32.h> --- 13,20 ---- #include <ctype.h> #ifndef WIN32 #include <sys/types.h> /* for umask() */ ! #include <sys/stat.h> /* for stat() */ ! #include <fcntl.h> /* open() flags */ #include <unistd.h> /* for geteuid(), getpid(), stat() */ #else #include <win32.h> *************** *** 1397,1403 **** FILE *stream; const char *fname; bool error = false; ! #ifndef WIN32 struct stat before, after; --- 1398,1405 ---- FILE *stream; const char *fname; bool error = false; ! int fd; ! #ifndef WIN32 struct stat before, after; *************** *** 1411,1417 **** { /* make a temp file to edit */ #ifndef WIN32 - mode_t oldumask; const char *tmpdirenv = getenv("TMPDIR"); sprintf(fnametmp, "%s/psql.edit.%ld.%ld", --- 1413,1418 ---- *************** *** 1422,1436 **** #endif fname = (const char *) fnametmp; ! #ifndef WIN32 ! oldumask = umask(0177); ! #endif ! stream = fopen(fname, "w"); ! #ifndef WIN32 ! umask(oldumask); ! #endif ! if (!stream) { psql_error("couldn't open temp file %s: %s\n", fname, strerror(errno)); error = true; --- 1423,1433 ---- #endif fname = (const char *) fnametmp; ! fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0600); ! if (fd != -1) ! stream = fdopen(fd, "w"); ! if (fd == -1 || !stream) { psql_error("couldn't open temp file %s: %s\n", fname, strerror(errno)); error = true;
В списке pgsql-hackers по дате отправления: