INN commit: trunk/support (install-sh)
INN Commit
rra at isc.org
Thu Mar 15 21:35:09 UTC 2018
Date: Thursday, March 15, 2018 @ 14:35:08
Author: iulius
Revision: 10267
install-sh: avoid (low risk) race in "/tmp"
Patch from upstream.
Ensure that nobody can cross privilege boundaries by pre-creating
symlink on '$tmpdir' destination directory.
Just testing 'mkdir -p' by creating "/tmp/ins$RANDOM-$$/d" is not safe
because "/tmp" directory is usually world-writeable and
"/tmp/ins$RANDOM-$$" content could be pretty easily guessed by
attacker (at least for shells where $RANDOM is not supported). So, as
the first step, create the "/tmp/ins$RANDOM-$$" without -p. This step
would fail early if somebody wanted catch us.
Systems that implement (and have enabled) fs.protected_symlinks kernel
feature are not affected even without this commit.
Modified:
trunk/support/install-sh
------------+
install-sh | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
Modified: install-sh
===================================================================
--- install-sh 2018-03-10 14:59:27 UTC (rev 10266)
+++ install-sh 2018-03-15 21:35:08 UTC (rev 10267)
@@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
-scriptversion=2017-09-23.17; # UTC
+scriptversion=2018-03-11.20; # UTC
#############################
# NOTICE TO INN MAINTAINERS #
@@ -361,11 +361,19 @@
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
+ # Note that $RANDOM variable is not portable (e.g. dash); Use it
+ # here however when possible just to lower collision chance.
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
- trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
+
+ # Because "mkdir -p" follows existing symlinks and we likely work
+ # directly in world-writeable /tmp, make sure that the '$tmpdir'
+ # directory is successfully created first before we actually test
+ # 'mkdir -p' feature.
if (umask $mkdir_umask &&
- exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+ $mkdirprog $mkdir_mode "$tmpdir" &&
+ exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
@@ -372,23 +380,24 @@
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
- ls_ld_tmpdir=`ls -ld "$tmpdir"`
+ test_tmpdir="$tmpdir/a"
+ ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
- $mkdirprog -m$different_mode -p -- "$tmpdir" && {
- ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+ $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
+ ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
- rmdir "$tmpdir/d" "$tmpdir"
+ rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
- rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+ rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
@@ -536,7 +545,7 @@
done
# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
+# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC0"
More information about the inn-committers
mailing list