Bug#497452: nfdump: vulnerable to symlink attacks

Tue, 02 Sep 2008 13:59:23 -0700 

tags 497452 patch
thanks

Hi,

On Sep 01  22:26, Andreas Putzo wrote:
> Package: nfdump
> Version: 1.5.7-4
> Severity: grave
> Tags: security
> 
> nfdump in its default installation starts nfcapd as a daemon that
> creates a file in /var/tmp/nfcapd.current.<pid> as well as 
> /var/tmp/nfcapd.<yyyymmddhhmmss>. These files are vulnerable to symlink
> attacks which is especially worse because nfcapd runs as root (see
> #497446) and thus can overwrite any file on the system.

Please look at attached patch that should fix this problem.

> I think the easiest way would be to fix #497446 and let nfcapd store its
> files in /var/lib/nfdump (-l command line switch) or similar instead of
> world-writeable /var/tmp.

I still think this point is valid and nfcapd should use a more sane
default directory to store its data files :)


Regards,
Andreas



--- nffile.c.orig	2008-09-02 20:10:30.000000000 +0000
+++ nffile.c	2008-09-02 20:11:34.000000000 +0000
@@ -415,7 +415,7 @@
 int				nffd;
 
 	*err = NULL;
-	nffd = open(filename, O_CREAT | O_RDWR | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH );
+	nffd = open(filename, O_CREAT | O_RDWR | O_TRUNC | O_EXCL, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH );
 	if ( nffd < 0 ) {
 		snprintf(error_string, ERR_SIZE, "Failed to open file %s: '%s'" , filename, strerror(errno));
 		error_string[ERR_SIZE-1] = 0;
--- nfstatfile.c.orig	2008-09-02 20:10:40.000000000 +0000
+++ nfstatfile.c	2008-09-02 20:04:15.000000000 +0000
@@ -308,7 +308,7 @@
 			if ( lock == READ_ONLY || lock == LOCK_IF_EXISTS) {	// no lock need
 				return ERR_NOSTATFILE;
 			} else {	// create the file, to and lock the file
-				fd =  open(filename, O_RDWR|O_TRUNC|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+				fd =  open(filename, O_RDWR|O_TRUNC|O_EXCL|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 				if ( fd < 0 ) {
 					LogError("open() error on '%s' in %s line %d: %s\n", filename, __FILE__, __LINE__, strerror(errno) );
 					free(dirstat_stack[next_free].dirstat);
@@ -455,7 +455,7 @@
 	filename = dirstat_stack[index].filename;
 
 	if ( fd == 0 ) {
-		fd =  open(filename, O_RDWR|O_TRUNC|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+		fd =  open(filename, O_RDWR|O_TRUNC|O_EXCL|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
     	if ( fd < 0 ) {
 			LogError( "open() error in %s line %d: %s\n", __FILE__, __LINE__, strerror(errno) );
 			return ERR_FAIL;

Reply via email to