Bug 65620

Summary: ports/security/cfs: cfssh(1) creates insecure directory
Product: Ports & Packages Reporter: Martin Kammerhofer <dada>
Component: Individual Port(s)Assignee: Brian Feldman <green>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Martin Kammerhofer 2004-04-16 14:20:21 UTC 
The security/cfs port installs a shell script "cfssh". This script is
written for the Korn-Shell. The first line of the script is patched to
use the FreeBSD /bin/sh instead of /bin/ksh (by means of
ports/security/cfs/files/patch-ac). The script uses a ksh specific
feature to generate a random directory name. This feature - the
special shell variable $RANDOM - is not present in /bin/sh! As a
consequence the script always generates the very predictable directory
"/crypt/.." instead of a random directory name.

Quote from the cfssh(1) manpage:

    Since the generated names are somewhat obscure and are hidden from
    view with CFS's "." mechanism, casual attackers cannot easily exploit
    the attached cleartext even if they can spoof the UID of the user.

The quoted intention of the script is clearly broken by the hardcoded
name. Everybody attaches to the same directory under /crypt.

Fix: Use a mechanism available to /bin/sh as a means of generating a random
pathname, e.g. FreeBSD's mktemp(1) command.
How-To-Repeat: 
Invoke cfssh(1) twice.
Comment 1 Martin Kammerhofer 2004-04-16 14:29:37 UTC 
Here is a more comprehensive patch:

<-----------------cut here----------------------------------------------
diff -ruN cfs/files/patch-ac /usr/ports/security/cfs/files/patch-ac
--- cfs/files/patch-ac  Tue May 23 03:02:39 2000
+++ /usr/ports/security/cfs/files/patch-ac      Thu Jan 22 14:42:04 2004
@@ -1,8 +1,23 @@
---- cfssh.orig Mon May 22 20:56:00 2000
-+++ cfssh      Mon May 22 20:56:11 2000
-@@ -1,4 +1,4 @@
+--- cfssh.orig Wed Dec  3 22:21:40 1997
++++ cfssh      Thu Jan 22 14:38:48 2004
+@@ -1,11 +1,11 @@
 -#!/bin/ksh
 +#!/bin/sh

- if [ -z "$1" ]; then
+-if [ -z "$1" ]; then
++if [ ! -d "$1" ]; then
        echo Usage: cfssh directory
+       exit
+ fi
+ export PS1="crypto:`basename $1`$ "
+-D=.$RANDOM.$RANDOM
++D=$(basename $(mktemp -u /tmp/.XXXXXXXXXXXXX))
+ cattach $1 $D || exit 1
+ echo "Directory is /crypt/$D"
+ cd /crypt/$D
+@@ -13,5 +13,4 @@
+ CWD=`/bin/pwd`
+ D=`basename $CWD`
+ PWD=$CWD
+-export RANDOM=0
+ exec /bin/sh -c "$SHELL ; cdetach $D"
diff -ruN cfs/files/patch-ag /usr/ports/security/cfs/files/patch-ag
--- cfs/files/patch-ag  Thu Jan  1 01:00:00 1970
+++ /usr/ports/security/cfs/files/patch-ag      Thu Jan 22 14:50:21 2004
@@ -0,0 +1,8 @@
+--- cfssh.1.orig       Wed Dec  3 22:21:43 1997
++++ cfssh.1    Thu Jan 22 14:49:21 2004
+@@ -1,4 +1,4 @@
+-.TH SSH 1 ""
++.TH CFSSH 1 ""
+ .SH NAME
+ cfssh - (somewhat) secure CFS shell
+ .SH SYNOPSIS
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2004-04-16 16:18:19 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->green

Over to maintainer.
Comment 3 Brian Feldman freebsd_committer freebsd_triage 2004-04-21 00:45:50 UTC 
State Changed
From-To: open->closed

Fixed; thanks!