[ewg] [PATCH] security fix in openibd script
Jay Lan
jlan at sgi.com
Thu Oct 21 15:50:20 PDT 2010
# Dale Talcott of NASA Ames submitted a bug report and his patch to SGI.
# I herein submitted this patch for him. The patch is against 1.5.2 -
jlan at sgi.com
The openibd startup script from the OFED rpm includes the following code to
create a script that it runs in the background:
...
cat << EOF >> /tmp/ib_set_node_desc.sh
#!/bin/bash
# Wait while node's hostname is set
sleep 10
# Add node description to sysfs
IBSYSDIR="/sys/class/infiniband"
if [ -d \${IBSYSDIR} ]; then
declare -i hca_id=1
for hca in \${IBSYSDIR}/*
do
if [ -e \${hca}/node_desc ]; then
logger -i "Set node_desc for \$(basename \$hca): \$(hostname -s)
HCA-\${hca_id}"
echo -n "\$(hostname -s) HCA-\${hca_id}" >> \${hca}/node_desc
fi
let hca_id++
done
fi
/bin/rm -f \$0
EOF
chmod 755 /tmp/ib_set_node_desc.sh
/tmp/ib_set_node_desc.sh > /dev/null 2>&1 &
The problems with this startup script are many, but the security issue
is that
the script, while running as root during system startup, writes to a
predictable file name in /tmp (/tmp/ib_set_node_desc.sh). If a user
creates a
symlink with that path ahead of time, the next reboot can clobber any
file root
has access to.
There are several fixes, but one is to avoid the use of the temporary file
altogether.
Signed-off-by: Jay Lan <jlan at sgi.com>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: security-fix-openibd
URL: <http://lists.openfabrics.org/pipermail/ewg/attachments/20101021/1416a45a/attachment.ksh>
More information about the ewg
mailing list