Temporary Files
list Adam Goryachev
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically. It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup. The vmstat file would be easier to do, since it is removed each time after use. Just thought it would be nice to use a tmp dir specifically for hobbit, such as /tmp/hobbit or /usr/lib/hobbit/client/tmp etc ..... Regards, Adam
list Lars Ebeling
In my installation I have 2 hobbit-tmpdirectories: $HOBBITHOME/client/tmp and $HOBBITHOME/server/tmp I don't understand what you mean, because they are created automatically. $ ll total 112 -rw------- 1 hobbit users 39 Dec 19 09:05 BB-DISKCHK.TMP -rw-rw-rw- 1 hobbit users 307 Dec 19 09:06 hobbit_vmstat.18544 -rw-rw-rw- 1 hobbit users 40935 Dec 19 09:06 msg.txt $ pwd /home/hobbit/client/tmp Regards Lars
▸
----- Original Message -----
From: "Adam Goryachev" <user-92fd6827f6ae@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Sent: Monday, December 19, 2005 5:33 AM
Subject: [hobbit] Temporary Files
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically. It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup. The vmstat file would be easier to do, since it is removed each time after use. Just thought it would be nice to use a tmp dir specifically for hobbit, such as /tmp/hobbit or /usr/lib/hobbit/client/tmp etc ..... Regards, Adam
list Henrik Størner
▸
On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:
Just thought I might clarify tmp file handling for hobbit and hobbit client specifically. It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup. The vmstat file would be easier to do, since it is removed each time after use. Just thought it would be nice to use a tmp dir specifically for hobbit, such as /tmp/hobbit or /usr/lib/hobbit/client/tmp etc .....
Hobbit does create a tmp directory for itself. Unless you've changed the
configuration, all temporary files are kept in the directory pointed to
by the BBTMP setting in hobbitclient.cfg; by default that is
~hobbit/client/tmp/
The server uses the BBTMP setting from hobbitserver.cfg, which defaults
to ~hobbit/server/tmp/
You're right that the statically named "msg.txt" file could be a
problem. In the current snapshot I've changed the client script to
always generate the message using a temporary filename ("msg.txt.$$"
which uses the PID of the client process - it changes from time to time).
The hobbitclient.sh script now does
TEMPFILE="$BBTMP/msg.txt.$$"
rm -f $TEMPFILE
touch $TEMPFILE
... more commands to build and send the client message ...
rm -f $BBTMP/msg.txt
mv $TEMPFILE $BBTMP/msg.txt
The reason why I save the latest message in msg.txt is for debugging
only. The ideal thing would be to use the "mktemp" command, but that
is not available on all systems where the client may run.
This has been in the snapshots since November.
Regards,
Henrik
list Adam Goryachev
▸
On Mon, 2005-12-19 at 09:14 +0100, Henrik Stoerner wrote:
On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:Just thought I might clarify tmp file handling for hobbit and hobbit client specifically. It would seem to me that tmp file handling is probably insecure... -rw-r--r-- 1 hobbit hobbit 237 2005-12-19 14:41 hobbit_vmstat.12913 -rw-r--r-- 1 hobbit hobbit 14996 2005-12-19 14:41 msg.txt ie, it is easy for an 'attacker' to create a file called msg.txt before hobbit does (though it seems that file is kept there all the time, so it would have to be created between system bootup and hobbit startup.Hobbit does create a tmp directory for itself. Unless you've changed the configuration, all temporary files are kept in the directory pointed to by the BBTMP setting in hobbitclient.cfg; by default that is ~hobbit/client/tmp/
Well, I simply installed the 1.2p1 version from the deb file on sourceforge... I didn't customise/change anything at all. Perhaps this is different in the deb package version ??
▸
You're right that the statically named "msg.txt" file could be a
problem. In the current snapshot I've changed the client script to
always generate the message using a temporary filename ("msg.txt.$$"
which uses the PID of the client process - it changes from time to time).
The hobbitclient.sh script now does
TEMPFILE="$BBTMP/msg.txt.$$"
rm -f $TEMPFILE
touch $TEMPFILE
... more commands to build and send the client message ...
rm -f $BBTMP/msg.txt
mv $TEMPFILE $BBTMP/msg.txtIf using a private tmp directory, then I don't really see this as a problem.. however, how about something like: if [ -x /bin/mktemp ] then MKTEMP=/bin/mktemp else if [ -s /usr/bin/mktemp ] then MKTEMP=/usr/bin/mktemp fi if [ ! -z MKTEMP ] then TEMPFILE=`$MKTEMP $BBTMP/msg.txt.XXXXXXX` else TEMPFILE="$BBTMP/msg.txt.$$" rm -f $TEMPFILE touch $TEMPFILE etc.... fi that way on hosts that have a mktemp in some 'standard' location, then it will default to being 'more' secure....
▸
The reason why I save the latest message in msg.txt is for debugging only. The ideal thing would be to use the "mktemp" command, but that is not available on all systems where the client may run. This has been in the snapshots since November.
I suppose also, a simple if [ -e $TEMPFILE ] could check to see if the file exists, and then just immediately send some red alert to hobbit server with a reason.... "Possible symlink attack, file xyz already exists" etc.... Anyway, for me, it isn't a big concern, just noticed it, and thought I'd ask about it.... Regards, Adam