Debian bug 737206 - rc shell uses insecurely /tmp

Debian bug 737206 - rc shell uses insecurely /tmp

[Stéphane Aulery]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

Hello,

I make you pass an open bug report on the Debian bts about rc.
I do not know to whom I should speak. The code comes from 9base, who
just plan9port, etc. Here is the report [1]:

   Package: 9base
   Version: 1:6-6
   Severity: important
   Tags: security

   Murray McAllister from Red Hat Security Response Team discovered that rc
   creates temporary files in an insecure way:

   $ strace -o '| grep /tmp' ./test-heredoc
   open("/tmp/here217f.0000", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 5
   open("/tmp/here217f.0000", O_RDONLY|O_LARGEFILE) = 5
   moo
   unlink("/tmp/here217f.0000")            = 0

   As you can see, the filenames are easily predictable, and the O_EXCL
   flag is missing.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737206

Regards,

--
Stéphane Aulery

[-- Attachment #2: test-heredoc --]
[-- Type: text/plain, Size: 47 bytes --]

#!/usr/lib/plan9/bin/rc
cat << EOF
moo
EOF

Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp

[Charles Forsyth]

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

On Wed, Dec 3, 2014 at 11:49 PM, Stéphane Aulery <saulery@free.fr> wrote:

> discovered that rc
>    creates temporary files in an insecure way:
>

rc was built for a system that made /tmp secure by not sharing it (it's
always private to a user and even sometimes to a set of processes).
That way not every app has to try to help sustain the pretence that a
shared /tmp can really be secured (+s bits, EXCL create, etc..)
Obviously the version for Unix will have to change its generation scheme to
fit in.

[-- Attachment #2: Type: text/html, Size: 919 bytes --]

Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp

[Bruce Ellis]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

Don't these people have better things to do than finding non-bugs in
systems they don't understand?

brucee

On 5 December 2014 at 13:33, Charles Forsyth <charles.forsyth@gmail.com>
wrote:

>
> On Wed, Dec 3, 2014 at 11:49 PM, Stéphane Aulery <saulery@free.fr> wrote:
>
>> discovered that rc
>>    creates temporary files in an insecure way:
>>
>
> rc was built for a system that made /tmp secure by not sharing it (it's
> always private to a user and even sometimes to a set of processes).
> That way not every app has to try to help sustain the pretence that a
> shared /tmp can really be secured (+s bits, EXCL create, etc..)
> Obviously the version for Unix will have to change its generation scheme
> to fit in.
>

[-- Attachment #2: Type: text/html, Size: 1441 bytes --]

Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp

[Skip Tavakkolian]

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

+1 😄


> On Dec 4, 2014, at 7:08 PM, Bruce Ellis <bruce.ellis@gmail.com> wrote:
> 
> Don't these people have better things to do than finding non-bugs in systems they don't understand?
> 
> brucee
> 
>> On 5 December 2014 at 13:33, Charles Forsyth <charles.forsyth@gmail.com> wrote:
>> 
>>> On Wed, Dec 3, 2014 at 11:49 PM, Stéphane Aulery <saulery@free.fr> wrote:
>>> discovered that rc
>>>    creates temporary files in an insecure way:
>> 
>> rc was built for a system that made /tmp secure by not sharing it (it's always private to a user and even sometimes to a set of processes).
>> That way not every app has to try to help sustain the pretence that a shared /tmp can really be secured (+s bits, EXCL create, etc..)
>> Obviously the version for Unix will have to change its generation scheme to fit in.
> 

[-- Attachment #2: Type: text/html, Size: 1770 bytes --]

Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp

[Kurt H Maier]

Quoting Bruce Ellis <bruce.ellis@gmail.com>:

> Don't these people have better things to do than finding non-bugs in
> systems they don't understand?
>
> brucee

This bug is being reported against 9base, which is a port of stuff
to unix similar to (and based on) plan9port.

He is reporting it to 9fans and 9trouble because Debian people are
not very good at doing things correctly.   Fortunately he seems to
accidentally have sent his message to some folks who might care in
addition to the ones who don't.

khm

Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp

[Bruce Ellis]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

Well I hope he has fun fixing a sandwich. Your words  ... "because Debian
people are not very good at doing things correctly".

On 5 December 2014 at 15:14, Kurt H Maier <khm@sciops.net> wrote:

> Quoting Bruce Ellis <bruce.ellis@gmail.com>:
>
>  Don't these people have better things to do than finding non-bugs in
>> systems they don't understand?
>>
>> brucee
>>
>
> This bug is being reported against 9base, which is a port of stuff
> to unix similar to (and based on) plan9port.
>
> He is reporting it to 9fans and 9trouble because Debian people are
> not very good at doing things correctly.   Fortunately he seems to
> accidentally have sent his message to some folks who might care in
> addition to the ones who don't.
>
> khm
>
>
>

[-- Attachment #2: Type: text/html, Size: 1370 bytes --]

Re: Debian bug 737206 - rc shell uses insecurely /tmp

[anselm]

Hi there,

On 4 December 2014 at 00:49, Stéphane Aulery <saulery@free.fr> wrote:
> I make you pass an open bug report on the Debian bts about rc.
> I do not know to whom I should speak. The code comes from 9base, who
> just plan9port, etc. Here is the report [1]:
>
>    Package: 9base
>    Version: 1:6-6
>    Severity: important
>    Tags: security

thanks for passing this issue on. I intend to address this issue in
the upcoming 9base-7 release.

Out of curiosity, does anybody know if current p9p is still affected
by this? Presumablyit is just 9base-6, as it is based on a 4 year old
p9p pull...

BR,
Anselm