[Simon Walter] Re: Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Glenn Steen glenn.steen at gmail.com
Tue Dec 9 15:46:48 GMT 2008


2008/12/9 Ben Winslow <winslowb at pa.net>:
> On Tue, 09 Dec 2008 14:36:33 +0000
> Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>
>> Well if you can even give me a definitive statement of precisely what
>> the underlying theoretical problem is, and how to avoid it, that
>> would help. I don't want to write a load of code and then discover
>> I've misunderstood the underlying problem and not actually fixed
>> anything.
>
> The problem with the other autoupdate scripts is similar to the problem
> with the Trend script: several of them are vulnerable to symlink
> attacks.
>
> Example:
> user$ ln -s /etc/passwd /tmp/ClamAVBusy.lock
> root# /usr/lib/MailScanner/clamav-autoupdate
> root# cat /etc/passwd
> Locked for updating ClamAV definitions by 18371
> Unlocked after updating ClamAV definitions by 18371
> root#
>
> Symlinking /tmp/ClamAV.update.log is ineffective, because
> freshclam drops privileges before the log file is opened, but it's
> still bad practice to pass it a file in a world-writable directory like
> that.
>
> As far as fixing the problem, many systems have a mktemp utility that
> can be used to securely create a temporary file (which is typically
> just a wrapper around the system's mkstemp() function, if present.)
> Since that's not really portable, though, you might be better off
> porting the remaining autoupdate shell scripts to perl, where you can
> use sysopen(HANDLE, "/tmp/file", ...|O_EXCL), which will fail if the
> file already exists.  Alternately, the fix for the trend-autoupdate
> script in the latest version of MailScanner should work in the other
> shell scripts as well, but it's not very elegant.
>
Why not either remove any preexisting file (provided it is a symlink)
or barf and die?

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list