|
lbuscd-0.6-alt10.x86_64 |
unsafe-tmp-usage-in-scripts |
info |
The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /lib/udev/remove_fstab_entry: $ grep -A5 -B5 /tmp/ /lib/udev/remove_fstab_entry # remove_fstab_entry # place in /lib/udev devicename=$1 grep '^/dev/'${devicename}'[[:blank:]]' /tmp/fstab | while read DEV MOUNTDIR TYPE OPTIONS DUMP PASS; do MOUNTPOINT=`basename "${MOUNTDIR}"` echo "RemoveDevice|${MOUNTPOINT}" > /tmp/lbus.fifo umount -l ${DEV} 2>&1 >/dev/null rmdir ${MOUNTDIR} done grep -v '^/dev/'$devicename'[[:blank:]]' /tmp/fstab >/tmp/fstab.tmp cp -f /tmp/fstab.tmp /tmp/fstab rm /tmp/fstab.tmp Found error in /lib/udev/add_fstab_entry: $ grep -A5 -B5 /tmp/ /lib/udev/add_fstab_entry LABEL=$(echo ${ID_BUS}${ID_TYPE}-$devicename |tr " " "_") fi fi # make sure the root we mount to exists ROOT=/tmp/drives [ -d $ROOT ] || mkdir ${ROOT} # invent $MOUNTPOINT MOUNTPOINT=$ROOT/$LABEL [ -d $MOUNTPOINT ] || mkdir ${MOUNTPOINT} -- if [ "${IOCHARSET}" = "utf8" ]; then MOUNTOPTS="${MOUNTOPTS},utf8" else MOUNTOPTS="${MOUNTOPTS},iocharset=${IOCHARSET}" fi echo "/dev/$devicename ${MOUNTPOINT} udf,iso9660,cdfs ${MOUNTOPTS} 0 0" >> /tmp/fstab echo "AddCdromDrive|${LABEL}|/dev/${devicename}|${DESCRIPTION}" > /tmp/lbus.fifo else REMOVABLE=0 MOUNTOPTS="rw,noatime" if [ ${BASEDEV} = "fd" ]; then DESCRIPTION="Floppy" -- fuse.ntfs|ntfs-3g) MOUNTOPTS="${MOUNTOPTS},silent,umask=000,locale=en_US.UTF-8" ;; esac fi echo "/dev/$devicename ${MOUNTPOINT} ${fstype} ${MOUNTOPTS} 0 0" >> /tmp/fstab echo "AddBlockDevice|${LABEL}|/dev/${devicename}|${REMOVABLE}|${SIZE}|${DESCRIPTION}" > /tmp/lbus.fifo fi |