Date: Thu, 17 Dec 1998 02:12:38 +0200 From: Stefan Laudat Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: OSS nice tmp race Hello all, While digging in the "soundon" script delivered with the OSS package (the commercial one, of course), I have discovered something very unusual on line 26 $MODTOOLS/insmod -V > /tmp/oss.tmp 2>&1 # KABOOM! "Hey, Beavis, told ya it was plutonium" MODVERS=`head -1 /tmp/oss.tmp|sed 's/.* //'` rm -f /tmp/oss.tmp # too late, buddy! Nice,huh? Just imagine that almost all soundcards are PnP today, there are few admins that know how to play with isapnp and ALSA (yeah, it rulez), the soundcfg or soundconf (whatever) script that comes with RedHat 5.x sucks big time and most of the ppl running LeeNw00x use OSS that seems to be a very good tool for the average RewT, honestly. And thank God OSS knows lots of soundcards! Most of you are running the soundon script in rc.local, so the satisfaction is guaranteed: ln -s /etc/inittab (next boot you're dead) Don't worry, support@opensound.com has been already notified so they will correct the bug ASAP I guess. BTW there is no bugs@opensound.com, so I love their optimistic way of thinking. I think the correct code is : ## insert before line 26 if [ -L /tmp/oss.tmp ] then logger "Hey,man, you've got a naughty (l)user -- ".`ls -lsa /tmp/oss.tmp` # die, lam0r! :) rm /tmp/oss.tmp fi Take care :) -- Stefan Laudat System Engineer - Dragon Art "Power comes from the barrel of the gun" -- Mao Tze Dong ----------------------------------------------------------------------- Date: Fri, 18 Dec 1998 19:39:27 +0100 From: Pavel Kankovsky Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Re: OSS nice tmp race On Thu, 17 Dec 1998, Stefan Laudat wrote: > I think the correct code is : > > ## insert before line 26 > if [ -L /tmp/oss.tmp ] > then Scream! There is no f... reason why you should do this way. But there are good reasons why you should NOT. For instace, /tmp/oss.tmp can be a HARDLINK to some important file. One can make a directory of this name (denial of service). Correct solution: variant 1: TMPFILE=/var/run/oss.tmp $MODTOOLS/insmod -V > $TMPFILE ... variant 2: (if you can't live without a file in /tmp) TMPFILE=`mktemp /tmp/oss.XXXXXX` [ -n "$TMPFILE" ] || exit 1 # cannot create a temp file $MODTOOLS/insmod -V > $TMPFILE ... (OpenBSD's mktemp is included in all recent versions of RedHat and Debian) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!" P.S. A real perfectionist would add some code to prevent a collision of two concurrent invocations of soundon. P.S.2 When was that bug reported? soundon in an recent OSS installations I have seen last week puts the file into the directory it was installed in. Putting temporary files into /usr is lame but it is certainly better than /tmp/oss.tmp. ----------------------------------------------------------------------- Date: Fri, 18 Dec 1998 22:41:40 +0100 From: Joel Eriksson Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Re: OSS nice tmp race On Thu, 17 Dec 1998, Stefan Laudat wrote: > While digging in the "soundon" script delivered with the OSS package (the commercial > one, of course), I have discovered something very unusual on line 26 > > $MODTOOLS/insmod -V > /tmp/oss.tmp 2>&1 > # KABOOM! "Hey, Beavis, told ya it was plutonium" > MODVERS=`head -1 /tmp/oss.tmp|sed 's/.* //'` > rm -f /tmp/oss.tmp # too late, buddy! > > > Nice,huh? Just imagine that almost all soundcards are PnP today, there are few admins that > know how to play with isapnp and ALSA (yeah, it rulez), the soundcfg or soundconf (whatever) > script that comes with RedHat 5.x sucks big time and most of the ppl running LeeNw00x use > OSS that seems to be a very good tool for the average RewT, honestly. And thank God OSS knows > lots of soundcards! Most of you are running the soundon script in rc.local, so the > satisfaction is guaranteed: > > > ln -s /etc/inittab (next boot you're dead) > > Don't worry, support@opensound.com has been already notified so they will correct the bug > ASAP I guess. > BTW there is no bugs@opensound.com, so I love their optimistic way of thinking. > I think the correct code is : > > ## insert before line 26 > if [ -L /tmp/oss.tmp ] > then > logger "Hey,man, you've got a naughty (l)user -- ".`ls -lsa /tmp/oss.tmp` > > # die, lam0r! :) > > rm /tmp/oss.tmp > fi There still exist a race-condition in that code, it just demands better timing. If the checking for file-existence and the creation of the file cannot be done atomically, don't do it. In this case there is no need for a temporary file at all, IMHO a better way to fix the problem is: MODVERS=$($MODTOOLS/insmod -V 2>/dev/null | head -1 | sed 's/.* //') I think that would do the trick. There are of course cases where it's not this easy to get rid of the need for a temporary file, the best way to fix this problem I think would be if all users had their own private tmp-directory. I have heard of patches that makes /tmp to a pseudo-directory that is "private" for each user that may be useful (I think it was for Linux, but I don't think it is widely spread). Since programmers keep repeating the old mistakes over and over again, the responsibility is ultimately the users. One can't check all of the sourcecode that we compile (at least not as thouroughly that may be needed), but eliminating the possibility of certain common bugs from having any dangerous implications is a first step. I think solutions like StackGuard and the like is of great use when it comes to this. > Stefan Laudat Joel Eriksson -----------------------------------------------------------------------