search

google-code-export / gambas

Automatically exported from code.google.com/p/gambas
1 stars 0 forks source link

Gambas creates hijackable directory in /tmp #365

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
1) Describe the problem.

Gambas creates a directory in /tmp called gambas.UID where UID
is the user id of the person running the software. Gambas doesn't check
to see if a malicious user has already created that directory.

A malicious user can then manipulate (mv or remove) that directory once gambas 
has created files under it.
larry@aliquot:/tmp$ mkdir gambas.0
larry@aliquot:/tmp$ ls -ld gambas.0
drwxr-xr-x 2 larry staff 4096 2012-12-13 16:37 gambas.0
larry@aliquot:/tmp$ cd gambas.0
larry@aliquot:/tmp/gambas.0$ ls
larry@aliquot:/tmp/gambas.0$ ls -l
total 4
drwx------ 2 root root 4096 2012-12-13 16:37 25257
larry@aliquot:/tmp/gambas.0$ rm -rf 25257 
larry@aliquot:/tmp/gambas.0$ 

User larry was able to remove the directory gambas created as root.

2) GIVE THE FOLLOWING INFORMATIONS (if they are appropriate):

Version: gambas3-runtime-3.3.4~lucid2
Revision:
Operating system: Linux 
Distribution: Ubunt
Architecture: x86_64 
GUI component: QT3 / QT4 / GTK+
Desktop used: Gnome

3) Provide a little project that reproduces the bug or the crash.

ubuntu-builder runs as root

4) If your project needs a database, try to provide it, or part of it.

5) Explain clearly how to reproduce the bug or the crash.

6) By doing that carefully, you have done 50% of the bug fix job!

IMPORTANT NOTE: if you encounter several different problems or bugs, (for
example, a bug in your project, and an interpreter crash while debugging
it), please create distinct issues!

Original issue reported on code.google.com by lcash...@gmail.com on 13 Dec 2012 at 9:44

GoogleCodeExporter commented 9 years ago 
Indeed. I think I will do an accurate chown() and a chmod() on the directory, 
and if it fails, I abort the program.

Original comment by benoit.m...@gmail.com on 15 Dec 2012 at 2:12

GoogleCodeExporter commented 9 years ago 
Fixed in revision #5438. The fix will be backported to gambas 3.3.5.

Original comment by benoit.m...@gmail.com on 15 Dec 2012 at 2:28

GoogleCodeExporter commented 9 years ago 
Finally I don't think it is really fixed. It needs to be more robust against 
other possible type of directory hijack.

Original comment by benoit.m...@gmail.com on 20 Dec 2012 at 8:50

GoogleCodeExporter commented 9 years ago 
In revision #5464, I now check that:
- the temporary directories are directories and not symbolic links.
- the owners are accurate.
- the rights are accurate.

Original comment by benoit.m...@gmail.com on 22 Dec 2012 at 7:54