65620 – ports/security/cfs: cfssh(1) creates insecure directory

Bug 65620 - ports/security/cfs: cfssh(1) creates insecure directory

Summary: ports/security/cfs: cfssh(1) creates insecure directory

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Brian Feldman

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-04-16 14:20 UTC by Martin Kammerhofer
Modified:	2004-04-21 00:50 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (310 bytes, patch) 2004-04-16 14:20 UTC, Martin Kammerhofer	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Kammerhofer 2004-04-16 14:20:21 UTC

The security/cfs port installs a shell script "cfssh". This script is
written for the Korn-Shell. The first line of the script is patched to
use the FreeBSD /bin/sh instead of /bin/ksh (by means of
ports/security/cfs/files/patch-ac). The script uses a ksh specific
feature to generate a random directory name. This feature - the
special shell variable $RANDOM - is not present in /bin/sh! As a
consequence the script always generates the very predictable directory
"/crypt/.." instead of a random directory name.

Quote from the cfssh(1) manpage:

    Since the generated names are somewhat obscure and are hidden from
    view with CFS's "." mechanism, casual attackers cannot easily exploit
    the attached cleartext even if they can spoof the UID of the user.

The quoted intention of the script is clearly broken by the hardcoded
name. Everybody attaches to the same directory under /crypt.

Fix: Use a mechanism available to /bin/sh as a means of generating a random
pathname, e.g. FreeBSD's mktemp(1) command.
How-To-Repeat: 
Invoke cfssh(1) twice.

Comment 1 Martin Kammerhofer 2004-04-16 14:29:37 UTC

Here is a more comprehensive patch:

<-----------------cut here----------------------------------------------
diff -ruN cfs/files/patch-ac /usr/ports/security/cfs/files/patch-ac
--- cfs/files/patch-ac  Tue May 23 03:02:39 2000
+++ /usr/ports/security/cfs/files/patch-ac      Thu Jan 22 14:42:04 2004
@@ -1,8 +1,23 @@
---- cfssh.orig Mon May 22 20:56:00 2000
-+++ cfssh      Mon May 22 20:56:11 2000
-@@ -1,4 +1,4 @@
+--- cfssh.orig Wed Dec  3 22:21:40 1997
++++ cfssh      Thu Jan 22 14:38:48 2004
+@@ -1,11 +1,11 @@
 -#!/bin/ksh
 +#!/bin/sh

- if [ -z "$1" ]; then
+-if [ -z "$1" ]; then
++if [ ! -d "$1" ]; then
        echo Usage: cfssh directory
+       exit
+ fi
+ export PS1="crypto:`basename $1`$ "
+-D=.$RANDOM.$RANDOM
++D=$(basename $(mktemp -u /tmp/.XXXXXXXXXXXXX))
+ cattach $1 $D || exit 1
+ echo "Directory is /crypt/$D"
+ cd /crypt/$D
+@@ -13,5 +13,4 @@
+ CWD=`/bin/pwd`
+ D=`basename $CWD`
+ PWD=$CWD
+-export RANDOM=0
+ exec /bin/sh -c "$SHELL ; cdetach $D"
diff -ruN cfs/files/patch-ag /usr/ports/security/cfs/files/patch-ag
--- cfs/files/patch-ag  Thu Jan  1 01:00:00 1970
+++ /usr/ports/security/cfs/files/patch-ag      Thu Jan 22 14:50:21 2004
@@ -0,0 +1,8 @@
+--- cfssh.1.orig       Wed Dec  3 22:21:43 1997
++++ cfssh.1    Thu Jan 22 14:49:21 2004
+@@ -1,4 +1,4 @@
+-.TH SSH 1 ""
++.TH CFSSH 1 ""
+ .SH NAME
+ cfssh - (somewhat) secure CFS shell
+ .SH SYNOPSIS

Comment 2 Mark Linimon freebsd_committer

2004-04-16 16:18:19 UTC

Responsible Changed
From-To: freebsd-ports-bugs->green

Over to maintainer.

Comment 3 Brian Feldman freebsd_committer

2004-04-21 00:45:50 UTC

State Changed
From-To: open->closed

Fixed; thanks!