From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20722 invoked by alias); 12 Jan 2015 05:53:21 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 34248 Received: (qmail 22490 invoked from network); 12 Jan 2015 05:53:08 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type :content-transfer-encoding:in-reply-to; s=mesmtp; bh=eGgqZW6yQwk mF2Lx2j7fJt1ZGx8=; b=jtXDKxVHcH1PksmHfW2Z/9i39u62ArJbsn9MQ0+BcWu LF77PlsOccNeQEYEIKRq3fc1J9NcX8F0D+OZe26tZ+Gaub3iFKfkBgbRHryQ48bW xNz+YivTxuF9Q+PJRZse2fui02tPnwB/GQkMUfPS4WIs89uI9E8Ecfwq9JoR7fRM = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type :content-transfer-encoding:in-reply-to; s=smtpout; bh=eGgqZW6yQw kmF2Lx2j7fJt1ZGx8=; b=TPiOby5EcugsP6HMekaYLp0B4DnMsO0BcB6+qMcjpR avCXDWuT8qwq8VN3xsP43K7b9qvyCeqkEVGsFga+UkFlUT3iphfTWCvPggV2YwgN LT1Y54MhQZlPkf3UHrYSBSzcZ5yp62PEI5VBbJL8M5nzLzbjjoMCSmuuyIdS86dH 8= X-Sasl-enc: zpojZR3nShsDE84YKL9FdToJb9Haj3CQrhJCGRGZCaFw 1421041426 Date: Mon, 12 Jan 2015 05:43:44 +0000 From: Daniel Shahaf To: Bart Schaefer Cc: zsh-workers@zsh.org Subject: Re: zsh/files module and insecure tempfile creation Message-ID: <20150112054344.GC1728@tarsus.local2> References: <150109223150.ZM24107@torch.brasslantern.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <150109223150.ZM24107@torch.brasslantern.com> User-Agent: Mutt/1.5.21 (2010-09-15) Bart Schaefer wrote on Fri, Jan 09, 2015 at 22:31:50 -0800: > I'm trying to work through the "attack vector" for the mv -f trick. > The situation is that a script wants to create a plain empty file > with a known name, let's say "/tmp/zsh12345". > > If the attacker creates his own plain file named /tmp/zsh12345 then the > "mv -f" will clobber it, so that's not at issue. Therefore an attack > is possible if the attacker can create a directory (or symlink to a > directory) named /tmp/zsh12345 and writable by the zsh process, > because then mv will put the empty plain file inside that directory. > > Next the attacker must be able to swap the directory or symlink with > a symlink to his own target file. Presumably if he could create it > in the first place, he can swap it. So we do have an attack that can > clobber any file writable by the zsh user. Anybody disagree? On FreeBSD systems, 'cat /path/to/dir' works (prints something and returns 0). Therefore, even if the (symlink-to-)dir is not replaced by a file, unexpected effects might be caused when some code attempts to cat the tempfile (which is in fact a directory) — whether in order to run it as shell commands or in order to use it as data. Sorry, but I haven't audited the patch to see what exactly this could cause in each instance. (No time.) Daniel