[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Race Condition in the bashbug script
|
From: |
Stefan Nordhausen |
|
Subject: |
Race Condition in the bashbug script |
|
Date: |
Wed, 31 Mar 2004 01:42:45 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 |
Hi!
The bashbug script contains a (known, but not yet fixed) race condition
when it tries to create its temporary files. This race condition is
exploitable even when mktemp or tempfile are available (see [1], chapter
3.6). The attached diff against bash 2.05 gets rid of the race condition
and also makes the bashbug script quite a bit smaller.
Regards
Stefan
[1]http://www.linuxsecurity.com/articles/documentation_article-8886.html
--- old/bashbug.sh 2001-10-30 20:51:18.000000000 +0100
+++ new/bashbug.sh 2004-03-31 00:44:01.000000000 +0200
@@ -22,35 +22,18 @@
PATH=/bin:/usr/bin:/usr/local/bin:$PATH
export PATH
-# If the OS supplies a program to make temp files with semi-random names,
-# use it.
+# Check if TMPDIR is set, default to /tmp
: ${TMPDIR:=/tmp}
-rm_tmp1=false
-rm_tmp2=false
-
-# if we don't have mktemp or tempfile, we don't want to see error messages
-# like `mktemp: not found', so temporarily redirect stderr using {...} while
-# trying to run them. this may fail using old versions of the bourne shell
-# that run {...} blocks with redirections in subshells; in that case we're
-# no worse off than previous versions
-
-{ TEMPFILE1=`mktemp "$TMPDIR/bbug.XXXXXX" 2>/dev/null` ; } 2>/dev/null
-if [ -z "$TEMPFILE1" ]; then
- { TEMPFILE1=`tempfile --prefix bbug --mode 600 2>/dev/null`; }
2>/dev/null
-fi
-if [ -z "$TEMPFILE1" ]; then
- TEMPFILE1=$TMPDIR/bbug.$$
- rm_tmp1=true
-fi
-{ TEMPFILE2=`mktemp "$TMPDIR/bbug.XXXXXX" 2>/dev/null`; } 2>/dev/null
-if [ -z "$TEMPFILE2" ]; then
- { TEMPFILE2=`tempfile --prefix bbug --mode 600 2>/dev/null`; }
2>/dev/null
-fi
-if [ -z "$TEMPFILE2" ]; then
- TEMPFILE2="$TMPDIR/bbug.$$.x"
- rm_tmp2=true
-fi
+#Securely create a temporary directory for the temporary files
+TEMPDIR=$TMPDIR/bbug.$$
+(umask 077 && mkdir $TEMPDIR) || {
+ echo "Could not create temporary directory. Exiting!"
+ exit 1
+ }
+TEMPFILE1=$TEMPDIR/bbug1
+TEMPFILE2=$TEMPDIR/bbug2
+
USAGE="Usage: $0 [--help] [--version] [bug-report-email-address]"
VERSTR="GNU bashbug, version ${RELEASE}.${PATCHLEVEL}-${RELSTATUS}"
@@ -149,8 +132,8 @@
: ${USER=${LOGNAME-`whoami`}}
-trap 'rm -f "$TEMPFILE1" "$TEMPFILE2"; exit 1' 1 2 3 13 15
-trap 'rm -f "$TEMPFILE1" "$TEMPFILE2"' 0
+trap 'rm -rf "$TEMPDIR"; exit 1' 1 2 3 13 15
+trap 'rm -rf "$TEMPDIR"' 0
UN=
if (uname) >/dev/null 2>&1; then
@@ -170,9 +153,6 @@
INITIAL_SUBJECT='[50 character or so descriptive subject here (for reference)]'
-# this is raceable unless (hopefully) we used mktemp(1) or tempfile(1)
-$rm_tmp1 && rm -f "$TEMPFILE1"
-
cat > "$TEMPFILE1" <<EOF
From: ${USER}
To: ${BUGADDR}
@@ -202,9 +182,6 @@
fix for the problem, don't include this section.]
EOF
-# this is still raceable unless (hopefully) we used mktemp(1) or tempfile(1)
-$rm_tmp2 && rm -f "$TEMPFILE2"
-
cp "$TEMPFILE1" "$TEMPFILE2"
chmod u+w "$TEMPFILE1"
@@ -255,7 +232,7 @@
done
-trap 'rm -f "$TEMPFILE1" "$TEMPFILE2"; exit 1' 2 # restore trap on SIGINT
+trap 'rm -rf "$TEMPDIR"; exit 1' 2 # restore trap on SIGINT
if cmp -s "$TEMPFILE1" "$TEMPFILE2"
then
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Race Condition in the bashbug script,
Stefan Nordhausen <=