COMMAND
bash
SYSTEMS AFFECTED
Systems with bash
PROBLEM
Alexandre Stervinou found following. This is another /tmp symlink
problem. Bash 2.01.1 & previous releases are concerned. Actually
file concerned is bash-2.01.1/builtins/psize.sh.
A temporary file called /tmp/pipesize is created at each
compilation, without checking its existence, file permissions
and/or the owner of this file. This may lead to a data integrity
problem if someone has created before a symlink to another file on
the system. At the end of the compilation, the person who did it
could realize that one of his own file has been erased, if the
symlink was pointed to it.
Let's take a sensitive case: root will compile bash. A user called
"user" knows this symlink problem and decides to provoke the
crushing of /etc/passwd.
user$ln -s /etc/passwd /tmp/pipesize
One day, root wants to compile bash for his system. In the source
directory of bash:
root#./configure
root#make
And now, the /etc/passwd file contains the pipe size corresponding
to the OS.
SOLUTION
Here is a simple fix, which is not perfect, but reduces the easy
way of doing such a damage to a less obvious race condition issue:
#-----------BEGIN psize.sh------------
#! /bin/sh
#
# psize.sh -- determine this system's pipe size, and write a define to
# pipesize.h so ulimit.c can use it.
#
# modified by Alexandre Stervinou, April 17th, 1998 -- possible symlink
# problem
echo "/*"
echo " * pipesize.h"
echo " *"
echo " * This file is automatically generated by psize.sh"
echo " * Do not edit!"
echo " */"
echo ""
TMPDIR=/tmp
TMPNAME=pipesize.$$
trap 'rm -rf $TMPDIR/$TMPNAME' 1 2 3 6 15
if [ ! -e $TMPDIR/$TMPNAME ]; then
./psize.aux 2>$TMPDIR/$TMPNAME | sleep 3
if [ -s $TMPDIR/$TMPNAME ]; then
echo "#define PIPESIZE `cat $TMPDIR/$TMPNAME`"
else
echo "#define PIPESIZE 512"
fi
rm -f $TMPDIR/$TMPNAME
else
exit 1
fi
exit 0
#-----------END psize.sh------------