[ewg] [PATCH] security fix in openibd script

Jay Lan jlan at sgi.com
Thu Oct 21 15:50:20 PDT 2010

# Dale Talcott of NASA Ames submitted a bug report and his patch to SGI.
# I herein submitted this patch for him.  The patch is against 1.5.2  - 
jlan at sgi.com

The openibd startup script from the OFED rpm includes the following code to
create a script that it runs in the background:

cat << EOF >> /tmp/ib_set_node_desc.sh

# Wait while node's hostname is set
sleep 10
# Add node description to sysfs
if [ -d \${IBSYSDIR} ]; then
    declare -i hca_id=1
    for hca in \${IBSYSDIR}/*
        if [ -e \${hca}/node_desc ]; then
            logger -i "Set node_desc for \$(basename \$hca): \$(hostname -s)
            echo -n "\$(hostname -s) HCA-\${hca_id}" >> \${hca}/node_desc
        let hca_id++
/bin/rm -f \$0

    chmod 755 /tmp/ib_set_node_desc.sh
    /tmp/ib_set_node_desc.sh > /dev/null 2>&1 &

The problems with this startup script are many, but the security issue 
is that
the script, while running as root during system startup, writes to a
predictable file name in /tmp (/tmp/ib_set_node_desc.sh).  If a user 
creates a
symlink with that path ahead of time, the next reboot can clobber any 
file root
has access to.

There are several fixes, but one is to avoid the use of the temporary file

Signed-off-by: Jay Lan <jlan at sgi.com>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: security-fix-openibd
URL: <http://lists.openfabrics.org/pipermail/ewg/attachments/20101021/1416a45a/attachment.ksh>

More information about the ewg mailing list