bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Race Condition in the bashbug script


From: Stefan Nordhausen
Subject: Race Condition in the bashbug script
Date: Wed, 31 Mar 2004 01:42:45 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113

Hi!

The bashbug script contains a (known, but not yet fixed) race condition when it tries to create its temporary files. This race condition is exploitable even when mktemp or tempfile are available (see [1], chapter 3.6). The attached diff against bash 2.05 gets rid of the race condition and also makes the bashbug script quite a bit smaller.

Regards
Stefan

[1]http://www.linuxsecurity.com/articles/documentation_article-8886.html
--- old/bashbug.sh      2001-10-30 20:51:18.000000000 +0100
+++ new/bashbug.sh      2004-03-31 00:44:01.000000000 +0200
@@ -22,35 +22,18 @@
 PATH=/bin:/usr/bin:/usr/local/bin:$PATH
 export PATH
 
-# If the OS supplies a program to make temp files with semi-random names,
-# use it.
+# Check if TMPDIR is set, default to /tmp
 : ${TMPDIR:=/tmp}
-rm_tmp1=false
-rm_tmp2=false
-
-# if we don't have mktemp or tempfile, we don't want to see error messages
-# like `mktemp: not found', so temporarily redirect stderr using {...} while
-# trying to run them.  this may fail using old versions of the bourne shell
-# that run {...} blocks with redirections in subshells; in that case we're
-# no worse off than previous versions
-
-{ TEMPFILE1=`mktemp "$TMPDIR/bbug.XXXXXX" 2>/dev/null` ; } 2>/dev/null
-if [ -z "$TEMPFILE1" ]; then
-       { TEMPFILE1=`tempfile --prefix bbug --mode 600 2>/dev/null`; } 
2>/dev/null
-fi
-if [ -z "$TEMPFILE1" ]; then
-       TEMPFILE1=$TMPDIR/bbug.$$
-       rm_tmp1=true
-fi
-{ TEMPFILE2=`mktemp "$TMPDIR/bbug.XXXXXX" 2>/dev/null`; } 2>/dev/null
-if [ -z "$TEMPFILE2" ]; then
-       { TEMPFILE2=`tempfile --prefix bbug --mode 600 2>/dev/null`; } 
2>/dev/null
-fi
-if [ -z "$TEMPFILE2" ]; then
-       TEMPFILE2="$TMPDIR/bbug.$$.x"
-       rm_tmp2=true
-fi
 
+#Securely create a temporary directory for the temporary files
+TEMPDIR=$TMPDIR/bbug.$$
+(umask 077 && mkdir $TEMPDIR) || {
+        echo "Could not create temporary directory. Exiting!"
+        exit 1
+        }
+TEMPFILE1=$TEMPDIR/bbug1
+TEMPFILE2=$TEMPDIR/bbug2
+        
 USAGE="Usage: $0 [--help] [--version] [bug-report-email-address]"
 VERSTR="GNU bashbug, version ${RELEASE}.${PATCHLEVEL}-${RELSTATUS}"
 
@@ -149,8 +132,8 @@
 
 : ${USER=${LOGNAME-`whoami`}}
 
-trap 'rm -f "$TEMPFILE1" "$TEMPFILE2"; exit 1' 1 2 3 13 15
-trap 'rm -f "$TEMPFILE1" "$TEMPFILE2"' 0
+trap 'rm -rf "$TEMPDIR"; exit 1' 1 2 3 13 15
+trap 'rm -rf "$TEMPDIR"' 0
 
 UN=
 if (uname) >/dev/null 2>&1; then
@@ -170,9 +153,6 @@
 
 INITIAL_SUBJECT='[50 character or so descriptive subject here (for reference)]'
 
-# this is raceable unless (hopefully) we used mktemp(1) or tempfile(1)
-$rm_tmp1 && rm -f "$TEMPFILE1"
-
 cat > "$TEMPFILE1" <<EOF
 From: ${USER}
 To: ${BUGADDR}
@@ -202,9 +182,6 @@
        fix for the problem, don't include this section.]
 EOF
 
-# this is still raceable unless (hopefully) we used mktemp(1) or tempfile(1)
-$rm_tmp2 && rm -f "$TEMPFILE2"
-
 cp "$TEMPFILE1" "$TEMPFILE2"
 chmod u+w "$TEMPFILE1"
 
@@ -255,7 +232,7 @@
 
 done
 
-trap 'rm -f "$TEMPFILE1" "$TEMPFILE2"; exit 1' 2       # restore trap on SIGINT
+trap 'rm -rf "$TEMPDIR"; exit 1' 2     # restore trap on SIGINT
 
 if cmp -s "$TEMPFILE1" "$TEMPFILE2"
 then

reply via email to

[Prev in Thread] Current Thread [Next in Thread]