[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] move ebiptables script out of /tmp


I noticed today that ebiptablesWriteToTempFile() creates a temporary
file in /tmp that is later executed. It uses mkstemp() and therefore is
safe from symlinks attacks, however, there is not really any reason that
I can see why it is using /tmp instead of somewhere
like /var/lib/libvirt. If libvirtd is confined under a MAC which allows
execution of /tmp/virtd* and a vulnerability is found in libvirtd,
the /tmp path leaves an opportunity for a local non-root attacker to
write a script in /tmp and then subvert libvirt to execute that script.
Putting it in /var/lib/libvirt (or somewhere without world-write
permissions) would prevent this.

I do not consider this a security vulnerability, but rather defensive
programming. Attached is a patch that uses LOCAL_STATE_DIR
"/lib/libvirt/virtdXXXXXX". Feel free to move it somewhere else if
desired. Patch is against head.


Jamie Strandboge             | http://www.canonical.com
diff -Naurp libvirt.orig/src/nwfilter/nwfilter_ebiptables_driver.c libvirt/src/nwfilter/nwfilter_ebiptables_driver.c
--- libvirt.orig/src/nwfilter/nwfilter_ebiptables_driver.c	2010-06-16 13:41:10.000000000 -0500
+++ libvirt/src/nwfilter/nwfilter_ebiptables_driver.c	2010-06-16 13:42:29.000000000 -0500
@@ -2183,7 +2183,7 @@ ebiptablesDisplayRuleInstance(virConnect
 static char *
 ebiptablesWriteToTempFile(const char *string) {
-    char filename[] = "/tmp/virtdXXXXXX";
+    char filename[] = LOCAL_STATE_DIR "/lib/libvirt/virtdXXXXXX";
     int len;
     char *filnam;
     virBuffer buf = VIR_BUFFER_INITIALIZER;

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]