From anarcat@anarcat.dyndns.org  Wed Nov 21 12:09:22 2001
Return-Path: <anarcat@anarcat.dyndns.org>
Received: from tomts20-srv.bellnexxia.net (tomts20.bellnexxia.net [209.226.175.74])
	by hub.freebsd.org (Postfix) with ESMTP id 21C8937B416
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Nov 2001 12:09:17 -0800 (PST)
Received: from khan.anarcat.dyndns.org ([65.94.128.110])
          by tomts20-srv.bellnexxia.net
          (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP
          id <20011121200916.FPAK25459.tomts20-srv.bellnexxia.net@khan.anarcat.dyndns.org>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Wed, 21 Nov 2001 15:09:16 -0500
Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1])
	by khan.anarcat.dyndns.org (Postfix) with ESMTP id B70F21A38
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 21 Nov 2001 15:10:29 -0500 (EST)
Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000)
	id 8215920ADB; Wed, 21 Nov 2001 15:10:52 -0500 (EST)
Message-Id: <20011121201052.8215920ADB@shall.anarcat.dyndns.org>
Date: Wed, 21 Nov 2001 15:10:52 -0500 (EST)
From: The Anarcat <anarcat@anarcat.dyndns.org>
Reply-To: The Anarcat <anarcat@anarcat.dyndns.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: pkg_add creates its temporary directories world writable
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32172
>Category:       bin
>Synopsis:       pkg_add creates its temporary directories world writable
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 21 12:10:01 PST 2001
>Closed-Date:    Fri Nov 23 17:33:39 PST 2001
>Last-Modified:  Fri Nov 23 17:36:32 PST 2001
>Originator:     The Anarcat
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
Nada, Inc.
>Environment:
System: FreeBSD shall.anarcat.dyndns.org 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Nov 16 12:57:38 EST 2001 anarcat@shall.anarcat.dyndns.org:/usr/obj/usr/src/sys/SHALL i386

>Description:

pkg_add, when untarring a package prior to its installation, creates all
directories in this package with world-writable protection. Since some
packages are pretty big (eg. XFree86), the time during which these
directories are available is not negligeable and is most definitly
enough to hack some of the binaries getting installed.

Vital third-party programs such as httpd or xterm can be easily
overwritten by a third party.

>How-To-Repeat:

unsuspecting_admin# pkg_add XFree86
<wait>...

evil_attacker$ cd /var/tmp/inst*
evil_attacker$ cd bin
evil_attacker$ mv ~/my_hacked_xfree_server XFree86
evil_attacker$ <grin>

>Fix:

I think I found out why it's doing this... When you use the -p switch in
tar invocations on packages, directories gets created as 777!!!

The problem is in file.c:

--- /usr/src/usr.sbin/pkg_install/lib/file.c      Thu Nov 15 16:35:52 2001
+++ /home/anarcat/file.c        Wed Nov 21 15:01:10 2001
@@ -465,7 +465,7 @@
     }
     else
        strcpy(args, "-z");
-    strcat(args, " -xpf");
+    strcat(args, " -xf");
     if (vsystem("tar %s '%s' %s", args, pkg, flist ? flist : "")) {
        warnx("tar extract of %s failed!", pkg);
        return 1;


This might cause problems with special permissions on packages with suid
binaries, though. I'm not sure of what the effect of -p actually is, but
a quick test shows tar keeps suid permissions, even without it.

Anyone has an idea why -p was there in the first place???
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: jkh 
State-Changed-When: Fri Nov 23 17:33:39 PST 2001 
State-Changed-Why:  
Fixed by setting top directory to 0700, making contents unbrowsable 
(and hence far harder to target). 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32172 
>Unformatted:
