From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 4 Dec 2014 00:49:18 +0100 From: =?utf-8?B?U3TDqXBoYW5l?= Aulery To: rsc@swtch.com, anselm@garbe.us, 9trouble@plan9.bell-labs.com, 9fans@9fans.net Subject: Debian bug 737206 - rc shell uses insecurely /tmp Message-ID: <20141203234918.GA27533@free.fr> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.23 (2014-03-12) Topicbox-Message-UUID: 32da814e-ead9-11e9-9d60-3106f5b1d025 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Hello, I make you pass an open bug report on the Debian bts about rc. I do not know to whom I should speak. The code comes from 9base, who just plan9port, etc. Here is the report [1]: Package: 9base Version: 1:6-6 Severity: important Tags: security Murray McAllister from Red Hat Security Response Team discovered that rc creates temporary files in an insecure way: $ strace -o '| grep /tmp' ./test-heredoc open("/tmp/here217f.0000", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 5 open("/tmp/here217f.0000", O_RDONLY|O_LARGEFILE) = 5 moo unlink("/tmp/here217f.0000") = 0 As you can see, the filenames are easily predictable, and the O_EXCL flag is missing. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737206 Regards, -- Stéphane Aulery --FCuugMFkClbJLl1L Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename=test-heredoc #!/usr/lib/plan9/bin/rc cat << EOF moo EOF --FCuugMFkClbJLl1L-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <20141203234918.GA27533@free.fr> References: <20141203234918.GA27533@free.fr> Date: Fri, 5 Dec 2014 02:33:20 +0000 Message-ID: Subject: Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp From: Charles Forsyth To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Cc: Russ Cox , anselm@garbe.us, 9trouble@plan9.bell-labs.com Content-Type: multipart/alternative; boundary=089e013a14087467e605096ee656 Topicbox-Message-UUID: 339da430-ead9-11e9-9d60-3106f5b1d025 --089e013a14087467e605096ee656 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery wro= te: > discovered that rc > creates temporary files in an insecure way: > rc was built for a system that made /tmp secure by not sharing it (it's always private to a user and even sometimes to a set of processes). That way not every app has to try to help sustain the pretence that a shared /tmp can really be secured (+s bits, EXCL create, etc..) Obviously the version for Unix will have to change its generation scheme to fit in. --089e013a14087467e605096ee656 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

= On Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery <= ;saulery@free.fr&g= t; wrote:

discovered that rc
=C2=A0 =C2=A0creates temporary files in an insecure way:

rc was built for a system that made /tmp secure by not sharing it= (it's always private to a user and even sometimes to a set of processe= s).

That way not every app has to try to he= lp sustain the pretence that a shared /tmp can really be secured (+s bits, = EXCL create, etc..)

Obviously the version f= or Unix will have to change its generation scheme to fit in.

--089e013a14087467e605096ee656-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <20141203234918.GA27533@free.fr> Date: Fri, 5 Dec 2014 14:08:11 +1100 Message-ID: From: Bruce Ellis To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=001a11c25cd015e52805096f63e3 Subject: Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp Topicbox-Message-UUID: 33b57966-ead9-11e9-9d60-3106f5b1d025 --001a11c25cd015e52805096f63e3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Don't these people have better things to do than finding non-bugs in systems they don't understand? brucee On 5 December 2014 at 13:33, Charles Forsyth wrote: > > On Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery w= rote: > >> discovered that rc >> creates temporary files in an insecure way: >> > > rc was built for a system that made /tmp secure by not sharing it (it's > always private to a user and even sometimes to a set of processes). > That way not every app has to try to help sustain the pretence that a > shared /tmp can really be secured (+s bits, EXCL create, etc..) > Obviously the version for Unix will have to change its generation scheme > to fit in. > --001a11c25cd015e52805096f63e3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Don't these people have better things to do than findi= ng non-bugs in systems they don't understand?

brucee=

On 5 = December 2014 at 13:33, Charles Forsyth <charles.forsyth@gmail.com= > wrote:

<= div class=3D"gmail_extra">
O= n Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery <= saulery@free.fr>= ; wrote:
discovered that rc
=C2=A0 =C2=A0creates temporary files in an insecure way:
=

rc was built for a system that made /tmp secure by not sha= ring it (it's always private to a user and even sometimes to a set of p= rocesses).
That way not every app has to tr= y to help sustain the pretence that a shared /tmp can really be secured (+s= bits, EXCL create, etc..)
Obviously the ve= rsion for Unix will have to change its generation scheme to fit in.

--001a11c25cd015e52805096f63e3-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Skip Tavakkolian Content-Type: multipart/alternative; boundary=Apple-Mail-3D0ABF21-C73A-490B-BE65-4B1F3E1AE722 Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (1.0) Message-Id: Date: Thu, 4 Dec 2014 19:20:53 -0800 References: <20141203234918.GA27533@free.fr>

In-Reply-To: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Subject: Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp Topicbox-Message-UUID: 33b9d1a0-ead9-11e9-9d60-3106f5b1d025 --Apple-Mail-3D0ABF21-C73A-490B-BE65-4B1F3E1AE722 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable +1 =F0=9F=98=84 > On Dec 4, 2014, at 7:08 PM, Bruce Ellis wrote: >=20 > Don't these people have better things to do than finding non-bugs in syste= ms they don't understand? >=20 > brucee >=20 >> On 5 December 2014 at 13:33, Charles Forsyth w= rote: >>=20 >>> On Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery w= rote: >>> discovered that rc >>> creates temporary files in an insecure way: >>=20 >> rc was built for a system that made /tmp secure by not sharing it (it's a= lways private to a user and even sometimes to a set of processes). >> That way not every app has to try to help sustain the pretence that a sha= red /tmp can really be secured (+s bits, EXCL create, etc..) >> Obviously the version for Unix will have to change its generation scheme t= o fit in. >=20 --Apple-Mail-3D0ABF21-C73A-490B-BE65-4B1F3E1AE722 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

+1 =F0=9F=98=84

= On Dec 4, 2014, at 7:08 PM, Bruce Ellis <bruce.ellis@gmail.com> wrote:

Don't these people have better things to do tha= n finding non-bugs in systems they don't understand?

bruc= ee

On 5= December 2014 at 13:33, Charles Forsyth <charles.forsyth@gmail.com<= /a>> wrote:

On We= d, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery <saulery@free.fr> wrote:
d= iscovered that rc
creates temporary files in an insecure way:
<= /div>
rc was built for a system that made /tmp secure by not shari= ng it (it's always private to a user and even sometimes to a set of processe= s).
That way not every app has to try to hel= p sustain the pretence that a shared /tmp can really be secured (+s bits, EX= CL create, etc..)
Obviously the version for U= nix will have to change its generation scheme to fit in.

= --Apple-Mail-3D0ABF21-C73A-490B-BE65-4B1F3E1AE722-- From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Fri, 5 Dec 2014 04:14:07 +0000 Message-ID: <20141205041407.Horde.stL5yX_qWE2oFaDyiX9UDw1@ssl.eumx.net> From: Kurt H Maier To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> References: <20141203234918.GA27533@free.fr>

In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline Subject: Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp Topicbox-Message-UUID: 33c4eeaa-ead9-11e9-9d60-3106f5b1d025 Quoting Bruce Ellis : > Don't these people have better things to do than finding non-bugs in > systems they don't understand? > > brucee This bug is being reported against 9base, which is a port of stuff to unix similar to (and based on) plan9port. He is reporting it to 9fans and 9trouble because Debian people are not very good at doing things correctly. Fortunately he seems to accidentally have sent his message to some folks who might care in addition to the ones who don't. khm From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <20141205041407.Horde.stL5yX_qWE2oFaDyiX9UDw1@ssl.eumx.net> References: <20141203234918.GA27533@free.fr>

<20141205041407.Horde.stL5yX_qWE2oFaDyiX9UDw1@ssl.eumx.net> Date: Sat, 6 Dec 2014 12:58:32 +1100 Message-ID: From: Bruce Ellis To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=001a11c2b9e0ce65c0050982873a Subject: Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp Topicbox-Message-UUID: 344135be-ead9-11e9-9d60-3106f5b1d025 --001a11c2b9e0ce65c0050982873a Content-Type: text/plain; charset=UTF-8 Well I hope he has fun fixing a sandwich. Your words ... "because Debian people are not very good at doing things correctly". On 5 December 2014 at 15:14, Kurt H Maier wrote: > Quoting Bruce Ellis : > > Don't these people have better things to do than finding non-bugs in >> systems they don't understand? >> >> brucee >> > > This bug is being reported against 9base, which is a port of stuff > to unix similar to (and based on) plan9port. > > He is reporting it to 9fans and 9trouble because Debian people are > not very good at doing things correctly. Fortunately he seems to > accidentally have sent his message to some folks who might care in > addition to the ones who don't. > > khm > > > --001a11c2b9e0ce65c0050982873a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Well I hope he has fun fixing a sandwich. Your words =C2= =A0... "because Debian people are not very good at doing things correc= tly".

O= n 5 December 2014 at 15:14, Kurt H Maier <khm@sciops.net> wrote= :

Quoting Bruce Ellis &l= t;bruce.ellis@gm= ail.com>:

Don't these people have better things to do than finding non-bugs in systems they don't understand?

brucee

This bug is being reported against 9base, which is a port of stuff
to unix similar to (and based on) plan9port.

He is reporting it to 9fans and 9trouble because Debian people are
not very good at doing things correctly.=C2=A0 =C2=A0Fortunately he seems t= o
accidentally have sent his message to some folks who might care in
addition to the ones who don't.

khm

--001a11c2b9e0ce65c0050982873a-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <20141203234918.GA27533@free.fr> References: <20141203234918.GA27533@free.fr> Date: Sun, 7 Dec 2014 18:35:53 +0100 Message-ID: Subject: Re: Debian bug 737206 - rc shell uses insecurely /tmp From: anselm@garbe.us To: =?UTF-8?Q?St=C3=A9phane_Aulery?= Cc: rsc@swtch.com, 9trouble@plan9.bell-labs.com, Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Topicbox-Message-UUID: 35a3cd2c-ead9-11e9-9d60-3106f5b1d025 Hi there, On 4 December 2014 at 00:49, St=C3=A9phane Aulery wrote: > I make you pass an open bug report on the Debian bts about rc. > I do not know to whom I should speak. The code comes from 9base, who > just plan9port, etc. Here is the report [1]: > > Package: 9base > Version: 1:6-6 > Severity: important > Tags: security thanks for passing this issue on. I intend to address this issue in the upcoming 9base-7 release. Out of curiosity, does anybody know if current p9p is still affected by this? Presumablyit is just 9base-6, as it is based on a 4 year old p9p pull... BR, Anselm