[ewg] [PATCH] security fix in openibd script

Jay Lan jlan at sgi.com
Mon Oct 25 11:08:12 PDT 2010 

Vladimir Sokolovsky wrote:
> On 10/22/2010 12:50 AM, Jay Lan wrote:
>> # Dale Talcott of NASA Ames submitted a bug report and his patch to SGI.
>> # I herein submitted this patch for him. The patch is against 1.5.2 -
>> jlan at sgi.com
>>
>>
>> The openibd startup script from the OFED rpm includes the following 
>> code to
>> create a script that it runs in the background:
>>
>> ...
>> cat << EOF >> /tmp/ib_set_node_desc.sh
>> #!/bin/bash
>>
>> # Wait while node's hostname is set
>> sleep 10
>> # Add node description to sysfs
>> IBSYSDIR="/sys/class/infiniband"
>> if [ -d \${IBSYSDIR} ]; then
>> declare -i hca_id=1
>> for hca in \${IBSYSDIR}/*
>> do
>> if [ -e \${hca}/node_desc ]; then
>> logger -i "Set node_desc for \$(basename \$hca): \$(hostname -s)
>> HCA-\${hca_id}"
>> echo -n "\$(hostname -s) HCA-\${hca_id}" >> \${hca}/node_desc
>> fi
>> let hca_id++
>> done
>> fi
>> /bin/rm -f \$0
>> EOF
>>
>> chmod 755 /tmp/ib_set_node_desc.sh
>> /tmp/ib_set_node_desc.sh > /dev/null 2>&1 &
>>
>> The problems with this startup script are many, but the security issue
>> is that
>> the script, while running as root during system startup, writes to a
>> predictable file name in /tmp (/tmp/ib_set_node_desc.sh). If a user
>> creates a
>> symlink with that path ahead of time, the next reboot can clobber any
>> file root
>> has access to.
>>
>> There are several fixes, but one is to avoid the use of the temporary 
>> file
>> altogether.
>>
>>
>> Signed-off-by: Jay Lan <jlan at sgi.com>
>>
>>
>
>
> Hi Jay,
> The purpose of creating a temporary script for setting node 
> description was to avoid blocking (sleep 10) of the openibd script.
> So, as a solution I propose to use a script with randomly created name 
> (mktemp /tmp/ib_set_node_desc.XXXXXXXX).
> What do you think?

Hi Vladimir,

That would be one possible fix, but we can achieve this without
creating a temporary file altogether.

Note that the patch would execute ib_set_node_desc() in sub shell:

+    ib_set_node_desc > /dev/null 2>&1 &

there would be no blocking  of the openibd script. I put in 'date'
before and after that line, and it showed no delay at all.

Regards,
Jay



>
> Regards,
> Vladimir

More information about the ewg mailing list