[Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Ben Winslow winslowb at pa.net
Tue Dec 9 15:18:11 GMT 2008


On Tue, 09 Dec 2008 14:36:33 +0000
Julian Field <MailScanner at ecs.soton.ac.uk> wrote:

> Well if you can even give me a definitive statement of precisely what 
> the underlying theoretical problem is, and how to avoid it, that
> would help. I don't want to write a load of code and then discover
> I've misunderstood the underlying problem and not actually fixed
> anything.

The problem with the other autoupdate scripts is similar to the problem
with the Trend script: several of them are vulnerable to symlink
attacks.

Example:
user$ ln -s /etc/passwd /tmp/ClamAVBusy.lock
root# /usr/lib/MailScanner/clamav-autoupdate
root# cat /etc/passwd
Locked for updating ClamAV definitions by 18371
Unlocked after updating ClamAV definitions by 18371
root# 

Symlinking /tmp/ClamAV.update.log is ineffective, because
freshclam drops privileges before the log file is opened, but it's
still bad practice to pass it a file in a world-writable directory like
that.

As far as fixing the problem, many systems have a mktemp utility that
can be used to securely create a temporary file (which is typically
just a wrapper around the system's mkstemp() function, if present.)
Since that's not really portable, though, you might be better off
porting the remaining autoupdate shell scripts to perl, where you can
use sysopen(HANDLE, "/tmp/file", ...|O_EXCL), which will fail if the
file already exists.  Alternately, the fix for the trend-autoupdate
script in the latest version of MailScanner should work in the other
shell scripts as well, but it's not very elegant.

-- 
Ben Winslow <winslowb at pa.net>


More information about the MailScanner mailing list