temp file creation problem in inn
Steve Beattie
steve at wirex.net
Sun Dec 31 00:11:25 UTC 2000
Russ,
Thank you for your patience on this issue.
On Fri, Dec 29, 2000 at 05:28:23PM -0800, Russ Allbery wrote:
>
> This sounds like a security bug in Red Hat's INN RPM. INN as shipped by
> ISC has used a temporary directory separate from the system directory for
> quite some time (it's not new in 2.3).
A little more clarification on the issue -- RedHat's RPM passes configure
the following arguments:
--prefix=/usr
--with-tmp-dir=/tmp
Unfortunately, --with-tmp-dir is not a valid configure option (how nice
of configure to silently ignore it, but that's an autoconf issue); the
correct option is --with-tmp-path, and it should NOT be set to /tmp. So
the security problem is the result of a misconfiguration by RedHat.
However, I believe it is dangerous for INN to depend that its temp
directory be non-world writable AND have configure set the default
to %prefix/tmp if --with-tmp-path is not given. It is common for
vendors to set --prefix to /usr and easy to miss that this is an unsafe
configuration. If nothing else, a warning in the INSTALL file about the
interdependence of --prefix and the temp directory is desired.
Attached is a patch to the INN RPM specfile for RedHat derived
distributions.
Of course, the real answer is to fix the code, but I understand your
reason for being unable to do that.
> I'm hanging on to the patch... at some point we'll get or I'll end up
> writing a mkstemp replacement for systems that don't have it, and then it
> will come in handy.
I suppose license issues prevent incorporating the gnu glibc version
(or the glibc derived version that egcs used). Given that, I suggest
adapting the OpenBSD implementation:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/mktemp.c
Thanks.
--
Steve Beattie Don't trust programmers?
<steve at wirex.net> Complete StackGuard distro at
http://immunix.org/~steve/ immunix.org
-- Attached file included as plaintext by Listar --
--- inn.spec.save Sat Dec 30 13:35:44 2000
+++ inn.spec Sat Dec 30 13:56:18 2000
@@ -114,7 +114,7 @@
--mandir=%{_mandir} \
--with-log-dir=/var/log/news --with-spool-dir=/var/spool/news\
--with-db-dir=/var/lib/news --with-run-dir=/var/run/news \
- --with-etc-dir=/etc/news --with-tmp-dir=/tmp \
+ --with-etc-dir=/etc/news --with-tmp-dir=/var/spool/news/tmp \
--with-perl --enable-shared --enable-uucp-rnews \
--enable-tagged-hash --enable-merge-to-groups \
--with-news-user=news --with-news-group=news \
@@ -165,6 +165,8 @@
chmod 644 $RPM_BUILD_ROOT/var/lib/news/*
chmod 644 $RPM_BUILD_ROOT/var/lib/news/.news.daily
+mkdir -p $RPM_BUILD_ROOT/var/spool/news/tmp
+
# we get this from cleanfeed
rm -f $RPM_BUILD_ROOT/usr/bin/filter/filter_innd.pl
@@ -276,6 +278,7 @@
%dir /var/spool/news/outgoing
%dir /var/spool/news/uniover
%dir /var/spool/news/innfeed
+%attr(770, - , -) %dir /var/spool/news/tmp
%dir /var/log/news
%dir /var/log/news/OLD
%dir /var/lib/news
More information about the inn-bugs
mailing list