[security-announce] Temporary File Handling Vulnerability

Lisa C Childers childers at mcs.anl.gov
Tue Aug 15 13:02:17 CDT 2006


Globus Security Advisory 2006-02:  Insecure Temporary File Handling

Original issue date: August 15 2006
Last revised: None

Software affected:

Globus Toolkit releases 3.2.x, 4.0.x, 4.1.0; older, unsupported versions
may also be vulnerable

Specific packages: GSI, CAS, RFT MDS, RLS, MyProxy
  3.2.1:
    cas, ogsa, gt3_hostinfo, rips_condor_provider_setup,
    globus_rls_server, globus_gsi_sysconfig, globus_gsi_credential,
    rft
  4.0.2:
    globus_java_ws_core_common, globus_wsrf_cas_client_java,
    globus_wsrf_mds_trigger, globus_rls_server, globus_gsi_sysconfig,
    globus_gsi_credential, globus_wsrf_rft_service_java,
    globus_gram_job_manager, globus_gsi_cert_utils,
    globus_simple_ca_setup,
    globus_c_wsrf_core_performance_test,
    globus_c_wsrf_core_tools, globus_c_wsrf_rendezvous_test,
    globus_c_wsrf_notification_test,
    globus_c_wsrf_provider_test,
    globus_wsrf_gram_scheduler_test,
    globus_c_wsrf_core_test_interop_bindings,
    globus_c_wsrf_core_test_interop_client_test
  4.1.0:
    globus_wsrf_java_core, globus_wsrf_mds_trigger,
    globus_rls_server, gsi/sysconfig, gsi/credential,
    globus_wsrf_rft_service_java, globus_wsrf_mds_gkrellm

Reporter:   Alex Lambert, NCSA

Overview

Various components of the toolkit use files in shared directories to store
information, some being sensitive information. For example, the tool to
create proxy certificates, stores the generated proxy certificate by
default in /tmp. Specific vulnerabilities in handling such files were
reported in myproxy-admin-adduser, grid-ca-sign and grid-security-config.

I. Description

When files are created in a shared directory, the process needs to ensure
that the file it is writing content to was indeed created by the process
itself. Also, the process needs to ensure that the file has correct
permissions set on it so as to have exclusive control of the file. It has
been identified that some of file handling in the toolkit does not ensure
the above.

II. Impact

An attack can occur if an attacker has permissions on /tmp directory and
knows the process id of some process that creates these temporary files.
An attacker can then set up link from a temporary file to a sensitive file
and cause the sensitive file to be compromised. Similarly, the attacker
can create the temporary file with permissions allowing open access and
can obtain access to the victim's data.

III. Solution

Update packages with a fix for Globus Toolkit releases 3.2.1 and 4.0.2 are
available at:

http://www-unix.globus.org/toolkit/advisories.html

The patches ensure that new files are created atomically and operation
fails if the process is not able to create a new file. The patches also
set permissions on the file prior to writing anything out to the file.

We recommend that people running 4.0.2 and 3.2.1 apply the relevant
patches.  People running older versions should upgrade to the appropriate
recommended versions and apply the patch. Users of the 4.1.0 development
release have the option of updating the affected components to the latest
code from CVS trunk or installing 4.1.1 when it becomes available.


Note:

For the Java implementation, the creation of new files and the setting of
permissions on the file, is not an atomic operation. So there is small
window there for the created file to be compromised. This might be a
concern in cases where some sensitive material is written to files, like
when proxy certificates are created in default location. To work around
this, we recommend that the umask in the user's account be set
appropriately to ensure that when a new file is created it is by default
accessible only to the owner.






More information about the security-announce mailing list