TUCoPS :: BSD :: bsd5391.htm

rc uses file globbing in insecure directories
4th Jun 2002 [SBWID-5391]
COMMAND

	rc uses file globbing in insecure directories

SYSTEMS AFFECTED

	 FreeBSD 4.4-RELEASE

	 FreeBSD 4.5-RELEASE

	 FreeBSD 4-STABLE prior to the correction date

	

PROBLEM

	lumpy <lumpy@the.whole.net> found a  bug  regarding  rc,  the  system
	startup script  (/etc/rc),  as  related  in  FreeBSD  Security  Advisory
	FreeBSD-SA-02:27.rc:
	

	rc is the system startup script (/etc/rc). It is run  when  the  FreeBSD
	is booted multi-user, and performs a multitude of  tasks  to  bring  the
	system up. One of these  tasks  is  to  remove  lock  files  left  by  X
	Windows, as their existence could prevent  one  from  restarting  the  X
	Windows server.
	

	 Problem Description

	 ===================

	

	When removing X Windows lock files, rc uses the rm(1) command and  shell
	globbing:
	

	

	   rm -f /tmp/.X*-lock /tmp/.X11-unix/*

	

	

	Since  /tmp  is  a  world-writable  directory,   a   user   may   create
	/tmp/.X11-unix as a symbolic link to an arbitrary  directory.  The  next
	time that rc is run (i.e. the next time the system is booted),  rc  will
	then remove all of the files in that directory.
	

	 Impact

	 ======

	

	Users  may  remove  the  contents  of  arbitrary  directories   if   the
	/tmp/.X11-unix directory does not already exist and the  system  can  be
	enticed  to  reboot  (or  the  user  can  wait  until  the  next  system
	maintenance window).

SOLUTION

	 Workaround

	 ===========

	

	Find and remove or comment-out the following line in /etc/rc:
	

	

	   rm -f /tmp/.X*-lock /tmp/.X11-unix/*

	

	

	The following command executed as root will do this:
	

	

	   /bin/sh -c \'echo -e \"/.X11-unix/s/^/#/\\nw\\nq\\n\" | /bin/ed -s /etc/rc\'

	

	

	

	 Solution

	 ========

	

	1) Upgrade your vulnerable system to 4.5-STABLE; or  to  either  of  the
	RELENG_4_5 (4.5-RELEASE-p6)  or  RELENG_4_4  (4.4-RELEASE-p13)  security
	branches dated after the respective correction dates.
	

	2) To patch your present system:
	

	a) Download the relevant patch from the location below, and  verify  the
	detached PGP signature using your PGP utility.
	

	

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:27/rc.patch

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:27/rc.patch.asc

	

	

	b) Execute the following commands as root:
	

	

	# cd /usr/src

	# patch < /path/to/patch

	

	

	c) Install the new rc script:
	

	

	# cd /usr/src/etc

	# install -c -o root -g wheel -m 644 rc /etc/rc

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH