[ewg] [PATCH] security fix in openibd script

Vladimir Sokolovsky vlad at dev.mellanox.co.il
Wed Oct 27 02:38:11 PDT 2010 

On 10/25/2010 08:08 PM, Jay Lan wrote:
> Vladimir Sokolovsky wrote:
>> On 10/22/2010 12:50 AM, Jay Lan wrote:
>>> # Dale Talcott of NASA Ames submitted a bug report and his patch to SGI.
>>> # I herein submitted this patch for him. The patch is against 1.5.2 -
>>> jlan at sgi.com
>>>
>>>
>>> The openibd startup script from the OFED rpm includes the following
>>> code to
>>> create a script that it runs in the background:
>>>
>>> ...
>>> cat << EOF >> /tmp/ib_set_node_desc.sh
>>> #!/bin/bash
>>>
>>> # Wait while node's hostname is set
>>> sleep 10
>>> # Add node description to sysfs
>>> IBSYSDIR="/sys/class/infiniband"
>>> if [ -d \${IBSYSDIR} ]; then
>>> declare -i hca_id=1
>>> for hca in \${IBSYSDIR}/*
>>> do
>>> if [ -e \${hca}/node_desc ]; then
>>> logger -i "Set node_desc for \$(basename \$hca): \$(hostname -s)
>>> HCA-\${hca_id}"
>>> echo -n "\$(hostname -s) HCA-\${hca_id}" >> \${hca}/node_desc
>>> fi
>>> let hca_id++
>>> done
>>> fi
>>> /bin/rm -f \$0
>>> EOF
>>>
>>> chmod 755 /tmp/ib_set_node_desc.sh
>>> /tmp/ib_set_node_desc.sh > /dev/null 2>&1 &
>>>
>>> The problems with this startup script are many, but the security issue
>>> is that
>>> the script, while running as root during system startup, writes to a
>>> predictable file name in /tmp (/tmp/ib_set_node_desc.sh). If a user
>>> creates a
>>> symlink with that path ahead of time, the next reboot can clobber any
>>> file root
>>> has access to.
>>>
>>> There are several fixes, but one is to avoid the use of the temporary
>>> file
>>> altogether.
>>>
>>>
>>> Signed-off-by: Jay Lan <jlan at sgi.com>
>>>
>>>
>>
>>
>> Hi Jay,
>> The purpose of creating a temporary script for setting node
>> description was to avoid blocking (sleep 10) of the openibd script.
>> So, as a solution I propose to use a script with randomly created name
>> (mktemp /tmp/ib_set_node_desc.XXXXXXXX).
>> What do you think?
>
> Hi Vladimir,
>
> That would be one possible fix, but we can achieve this without
> creating a temporary file altogether.
>
> Note that the patch would execute ib_set_node_desc() in sub shell:
>
> + ib_set_node_desc > /dev/null 2>&1 &
>
> there would be no blocking of the openibd script. I put in 'date'
> before and after that line, and it showed no delay at all.
>
> Regards,
> Jay
>

Hi Jay,
Sorry, I probably missed '&'.

I applied this patch to openibd.

Thanks,
Vladimir

More information about the ewg mailing list