[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
security: install 5.93/5.97 ignores --mode on existing dirs if no leadin
From: |
Marc MERLIN |
Subject: |
security: install 5.93/5.97 ignores --mode on existing dirs if no leading 4th byte |
Date: |
Tue, 1 May 2007 11:17:45 -0700 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Expected behaviour with install 5.2.1:
magic:~# mkdir /tmp/conf
magic:~# chmod 1234 /tmp/conf
magic:~# ls -ld /tmp/conf
d-w--wxr-T 2 root root 4096 2007-05-01 11:00 /tmp/conf
magic:~# install -d -o root -g root -m 0777 /tmp/conf
magic:~# ls -ld /tmp/conf
drwxrwxrwx 2 root root 4096 2007-05-01 11:00 /tmp/conf
magic:~# install -d -o root -g root -m 751 /tmp/conf
magic:~# ls -ld /tmp/conf
drwxr-x--x 2 root root 4096 2007-05-01 11:00 /tmp/conf
Incorrect/Insecure behaviour with install 5.93 or 5.97:
address@hidden:~# chmod 1234 /tmp/conf
address@hidden:~# l -d /tmp/conf
d-w--wxr-T 2 nobody nobody 4096 May 1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 777 /tmp/conf
address@hidden:~# l -d /tmp/conf
d-w--wxr-T 2 nobody nobody 4096 May 1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 2777 /tmp/conf
address@hidden:~# l -d /tmp/conf
drwxrwsrwx 2 nobody nobody 4096 May 1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 2555 /tmp/conf
address@hidden:~# l -d /tmp/conf
dr-xr-sr-x 2 nobody nobody 4096 May 1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 0755 /tmp/conf
address@hidden:~# l -d /tmp/conf
dr-xr-sr-x 2 nobody nobody 4096 May 1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 1755 /tmp/conf
address@hidden:~# l -d /tmp/conf
drwxr-xr-t 2 nobody nobody 4096 May 1 10:38 /tmp/conf/
As you can see, the newer install refuses to reset permissions unless
there is some leading byte.
I haven't spent the time scanning open source software that uses install on
critical directories (spool, cron, etc...), but I'm sure one could find a
place where install not properly narrowing perms could lead to some local
exploit.
Anyway, whether that's the case or not, I hope you can get install fixed to
work like earlier versions, and as expected by scripts.
Thanks
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
- security: install 5.93/5.97 ignores --mode on existing dirs if no leading 4th byte,
Marc MERLIN <=