resource-agents icon indicating copy to clipboard operation
resource-agents copied to clipboard
verified publisher icon ClusterLabs

Tempfiles should always be created using mktemp, not using PID or hard-coded filenames

Open krig opened this issue 8 years ago • 2 comments

This was flagged by the SUSE security team:

There are various problems with tmp-races. Some of them may be used for LPE:

sapdb-nosha.sh:

143 oracle_stop() {
144 echo '#!/bin/sh
145 LOG=$HOME/stopdb.log
146 date > $LOG
147 
148 if [ -x "${ORACLE_HOME}/bin/sqlplus" ]
149 then
150     SRVMGRDBA_EXE="${ORACLE_HOME}/bin/sqlplus"
151 else
152    echo "Can not find executable sqlplus" >> $LOG
153    exit 1
154 fi
155 
156 $SRVMGRDBA_EXE /NOLOG >> $LOG << !
157 connect / as sysdba
158 shutdown immediate
159 exit
160 !
161 rc=$?
162 cat $LOG
163 exit $rc' > $TEMPFILE                                                                                                                                   
164 
165 chmod 700 $TEMPFILE
166 chown $sidadm $TEMPFILE
167 
168 su - $sidadm -c $TEMPFILE
...
743 TEMPFILE="/tmp/SAPDatabase.$$.tmp"

and more occurrences of this.

mysql:

 987 DEBUG_LOG="/tmp/mysql.ocf.ra.debug/log"
 988 if [ "${DEBUG_LOG}" -a -w "${DEBUG_LOG}" -a ! -L "${DEBUG_LOG}" ]; then
 989     DEBUG_LOG_DIR="${DEBUG_LOG%/*}"
 990     if [ -d "${DEBUG_LOG_DIR}" ]; then                                                                                                                 
 991         exec 9>>"$DEBUG_LOG"
 992         exec 2>&9
 993         date >&9
 994         echo "$*" >&9
 995         env | grep OCF_ | sort >&9
 996         set -x
 997     else
 998         exec 9>/dev/null
 999     fi
1000 fi

ClusterMon:

235 : ${OCF_RESKEY_update:="15000"}
236 : ${OCF_RESKEY_pidfile:="/tmp/ClusterMon_${OCF_RESOURCE_INSTANCE}.pid"}
237 : ${OCF_RESKEY_htmlfile:="/tmp/ClusterMon_${OCF_RESOURCE_INSTANCE}.html"}

All these should better use mktemp.

krig avatar Nov 06 '17 14:11 krig

On Mon, Nov 06, 2017 at 02:45:02PM +0000, Kristoffer Grönlund wrote:

This was flagged by the SUSE security team:

There are various problems with tmp-races. Some of them may be used for LPE:

Definitely needs fixing. Furthermore, the mysql part is obsoleted by the ocf trace facility.

dmuhamedagic avatar Nov 06 '17 20:11 dmuhamedagic

This has been open for quite a while. General discussion of the issues is available in https://bugzilla.suse.com/show_bug.cgi?id=1021689 (ocfmon user created with "OCFMON" as default password)

Individual issues we track:

  • Static default credentials https://bugzilla.suse.com/show_bug.cgi?id=1146687
  • Predictable tmp file in sapdb-nosha.sh https://bugzilla.suse.com/show_bug.cgi?id=1146690
  • Predictable log file in /tmp in mariadb.in https://bugzilla.suse.com/show_bug.cgi?id=1146691
  • Predictable tmp file in ClusterMon https://bugzilla.suse.com/show_bug.cgi?id=1146692
  • Insecure default tmp file name in openstack-cinder-volume https://bugzilla.suse.com/show_bug.cgi?id=1146766
  • Code execution via insecure tmp files in db2 https://bugzilla.suse.com/show_bug.cgi?id=1146776
  • Static tmp file in drbd.linbit https://bugzilla.suse.com/show_bug.cgi?id=1146784
  • Static tmp file in oradg.sh.in https://bugzilla.suse.com/show_bug.cgi?id=1146785
  • Static tmp file in caselib.in https://bugzilla.suse.com/show_bug.cgi?id=1146787
  • eval with unsanitized values in heartbeat/db https://bugzilla.suse.com/show_bug.cgi?id=1146789

jsegitz avatar Mar 18 '20 10:03 jsegitz