Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability: fixed path in o=rwx directory in .deb #93

Open
AJCxZ0 opened this issue Oct 26, 2020 · 6 comments
Open

Security vulnerability: fixed path in o=rwx directory in .deb #93

AJCxZ0 opened this issue Oct 26, 2020 · 6 comments

Comments

@AJCxZ0
Copy link

AJCxZ0 commented Oct 26, 2020

The preinst and postinst files indicate the use of a fixed path in a world-writable directory and likely vulnerability to a symlink attack.
Use of mktemp(1) is strongly recommended.

I have not tested the .deb install.

No Security policy, so reporting here.
@andy-portmen
Copy link
Owner

We need a temporary place to copy the installer files during the deb generation. How about the new /opt/native-client/

andy-portmen added a commit that referenced this issue Oct 27, 2020
@andy-portmen
generating debian packge; fixes #93
3078bd0
@AJCxZ0
Copy link
Author

AJCxZ0 commented Oct 27, 2020
edited
Loading

No, /opt is not an appropriate location for temporary files.
/tmp is the correct location, however the problem is using a known fixed path in that directory. See e.g. CAPEC-132. This is trivially fixed by using mktemp(1).

@andy-portmen
Copy link
Owner

We need a temporary directory that is generated during the package creation to keep the installation files. So we cannot use mktemp. see https://github.com/andy-portmen/native-client/blob/master/prepare.sh#L14

@andy-portmen andy-portmen reopened this Oct 27, 2020
@andy-portmen
Copy link
Owner

@AJCxZ0 How about /usr/share/native-client/?
5607658

@andy-portmen andy-portmen mentioned this issue Nov 3, 2020
Open
@AJCxZ0
Copy link
Author

AJCxZ0 commented Nov 4, 2020

No, /usr/share is also the wrong place for temporary files. The Filesystem Hierarchy Standard describes the purpose of the various directories and local implimentation is described in hier(7).
If, for reasons which are remain unclear to me, you cannot use mktemp(1), then assuming derived names are similarly problematic, the old fashioned method is to start by testing for the existence of an unlikely fixed path, e.g. /tmp/native-client.l2MdGdgVstpt7XGZKmr7JOxXmQn, and test for its existence. If it exists and you cannot remove it, then error and exit, else create it with a suitably restricted mode such as 700, use and remove it.

The real question of how to properly build the package, but my experience of packaging on Debian is too little and too old give a useful and authoritative answer or recognise one with sufficient confidence to recommend it.

@andy-portmen
Copy link
Owner

If, for reasons which are remain unclear to me, you cannot use mktemp(1)

We have a NodeJS executable and a few JS files that are supposed to place browser specific files inside the home directory. I need to place them inside the package and somehow have access to them to run the installer. I tried to place them inside the "DEBIAN" directory, but I couldn't find a way to have access to them during the installation. The mktemp works fine if you need a temp directory just during the installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andy-portmen @AJCxZ0