visudo: please use /tmp or other location for temporary file

Automatically imported from Debian bug report #283161 http://bugs.debian.org/283161

Message-ID: <email address hidden>
Date: Fri, 26 Nov 2004 23:38:46 +0100
From: martin f krafft <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: visudo: please use /tmp or other location for temporary file

--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: sudo
Version: 1.6.7p5-2
Severity: minor

visudo creates and uses /etc/visudo.tmp. While this may or may not
be subject to race conditions, a temporary file certainly does not
belong into /etc. Please use /tmp or $TMPDIR instead.

Thanks,

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (600, 'testing'), (98, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-cirrus
Locale: LANG=3Den_GB, LC_CTYPE=3Den_GB.UTF-8 (charmap=3DUTF-8)

Versions of packages sudo depends on:
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libpam-modules 0.76-22 Pluggable Authentication Modul=
es f
ii libpam0g 0.76-22 Pluggable Authentication Modul=
es l

-- no debconf information

--=20
 .''`. martin f. krafft <email address hidden>
: :' : proud Debian developer, admin, user, and author
`. `'`
  `- Debian - when you have better things to do than fixing a system
=20
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

--9amGYk9869ThD9tj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBp7B2IgvIgzMMSnURAnqaAKDCsDhynKAVGKbtgSiIjlEPOvvadQCfdhNM
HjORr3cFRThEwgJfUCSKn5c=
=+q9P
-----END PGP SIGNATURE-----

--9amGYk9869ThD9tj--

Message-ID: <email address hidden>
Date: Thu, 21 Apr 2005 12:13:41 +1000
From: Geoff Crompton <email address hidden>
To: <email address hidden>
Subject: bewary of bid 13171 when doing this

If you do fix this bug, and patch sudo to create temp file in /tmp (or
whereever), please be wary of issue mentioned at:
http://www.securityfocus.com/bid/13171,

You'd need to patch to change the naming of the temp file as well as the
directory. I'm sure you'd be aware of that though.

--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000

Not a big deal, thus downgrading. /etc/ is only writeable by root, and visudo
properly checks for already existing files:

$ sudo visudo
Password:
visudo: sudoers file busy, try again later

I can't see a security issue here, this is just a (rather cosmetical) bug;
temporary files do not belong into /etc.

See Joey Hess' latest comment in debbugs. Still not a major issue, but deserves
a closer look.

Message-ID: <email address hidden>
Date: Tue, 3 May 2005 22:52:41 -0400
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2005-1119

--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

As I read http://www.securityfocus.com/bid/13171/discussion/ , which has
been assigned CVE id CAN-2005-1119, this is a security hole because
visodo is not limited to editing /etc/sudoers. With the -f switch, it
can be made to edit some other file; if that other file is in a
directory to which an attacker has write access, they can overwrite
arbitrary files via a symlink attack.

Still fairly theoretical, but I wanted to note that this is
CAN-2005-1119 ..

--=20
see shy jo

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCeDj5d8HHehbQuO8RAiBgAKCiubC4WTlJeuc0fMSZXJ1suW5EdgCfXIKQ
YzIjM6k+E5mCept5pZmEdUo=
=p7vS
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--

Message-ID: <email address hidden>
Date: Wed, 4 May 2005 10:52:44 +0100
From: Colin Watson <email address hidden>
To: martin f krafft <email address hidden>
Cc: <email address hidden>
Subject: Re: visudo: please use /tmp or other location for temporary file

On Fri, Nov 26, 2004 at 11:38:46PM +0100, martin f krafft wrote:
> Package: sudo
> Version: 1.6.7p5-2
> Severity: minor
>
> visudo creates and uses /etc/visudo.tmp. While this may or may not
> be subject to race conditions, a temporary file certainly does not
> belong into /etc. Please use /tmp or $TMPDIR instead.

We have to be a bit careful here, I think; visudo currently issues a
warning if the temporary file is on a different filesystem.

--
Colin Watson [<email address hidden>]

visudo must atomically swap the old configuration for the new one. There must never be a time where sudo can see a partially written sudoers file. The temporary should always be placed in the same directory (currently the best way to be sure its being put on the same filesystem and so that differing permissions on different directories don't cause suprising behaviour).

Just to clarify my previous comment, I don't think this is a bug and should be marked invalid as altering the current behaviour to match typical temporary file use would be a grave erro,r possibly opening systems up toexploitation.