fredericlepied
commented
9 years ago @kseifriedredhat: usually we secure the build system by restricting the access to the topdir of the chroot dirs to only root and the jenkins slaves building these roles have no user access.
Anyway we'll change the path to secure the use for other users.
Found in a past security audit, agreed with Tristan to make public and file issues here.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1152548
Multiple tmp vulns, some leading to things like kernel modification, packages being installed as root, etc. This means any local access == root access trivially.
./server/upload-health.py:$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py ./server/edeploy.conf:LOCKFILE=/tmp/edeploy.lock ./server/upload.py:$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py ./server/upload.py: lock_filename = config_get('SERVER', 'LOCKFILE', '/tmp/edeploy.lock') ./tests/runkvm.sh:LOCKFILE=/tmp/edeploy.lock ./docs/eDeployUserGuide.rst: LOCKFILE = /tmp/edeploy.lock ./build/init.common: [ -d /tmp ] || mkdir /tmp ./build/init: cp $d/boot/vmlinuz$KVER_ /tmp/vmlinuz || giveup "Kexec: Unable to copy kernel" ./build/init: cp $d/boot/initrd$KVER_ /tmp/initrd.img || giveup "Kexec: Unable to copy initrd" ./build/init: cp $d/boot/initramfs$KVER_ /tmp/initrd.img || give_up "Kexec: Unable to copy initrd" ./build/init: kexec -l /tmp/vmlinuz --initrd=/tmp/initrd.img --append="root=${root}${BOOT_ARG}" ./build/base.install: chroot $target rpm -ivh "/tmp/${MEGACLIVER}_MegaCLI_Linux/Linux MegaCLI ${MEGACLIVER}/MegaCli-${MEGACLIVER}-1.noarch.rpm" ./build/base.install: do_chroot $target dpkg -i /tmp/$package_name ./build/img.embedded:LOCKFILE=/tmp/edeploy.lock ./build/infiniband: wget --no-verbose 'http://cs.stanford.edu/pub/mirrors/ubuntu/ubuntu/pool/universe/s/sdpnetstat/sdpnetstat_1.60-1ubuntu2_amd64.deb' -O ${dir}/tmp/sdpnetstat_1.60-1ubuntu2_amd64.deb ./build/infiniband: do_chroot $dir dpkg -i /tmp/sdpnetstat_1.60-1ubuntu2_amd64.deb ./build/infiniband: do_chroot $dir rm /tmp/sdpnetstat_1.60-1ubuntu2_amd64.deb ./build/remote-install.sh:scp "$SCR" "$DST":/tmp/ ./build/remote-install.sh:ssh "$DST" bash /tmp/$(basename $SCR) ./build/img.install:BOOT_MOUNT_POINT=/tmp/$2-$3.tmp ./build/upgrade-from:/tmp/ ./src/health-client.py: HP.start_log('/var/tmp/health-client.log', logging.DEBUG) ./src/health-server.py: HP.start_log('/var/tmp/health-server.log', logging.DEBUG) ./tools/jenkins-build.sh:if [ -f /var/tmp/froze-builds ]; then ./tools/grapher/grapher: epilog="Example: \ngrapher -g histogram -k cpu,logical,bandwidth_1G '/tmp/*.hw'")