cron sendmail output

Jonathan Wiltshire jmw at debian.org
Mon Aug 5 08:07:58 EDT 2013


On 2013-08-02 09:26, Paul Verrall wrote:
> However, as get_iplayer's output does not contain any sensitive info,
> and more importantly the output is not read back into a process, 
> we're
> probably safe in this instance, probably.

No, you've missed the point.

Bad:

$ whoami
evilgenius
$ ln -s /home/victim/.ssh/id_rsa /tmp/mydangeroustempfile
$ whoami
victim
$ echo "you lose" > /tmp/mydangeroustempfile
$ cat ~/.ssh/id_rsa
you lose

If victim didn't back up his keys, he's SOL. evilgenius does not need 
to be a privileged user to carry out this attack.

Worse:

$ whoami
evilgenius
$ ln -s /etc/shadow /tmp/myworsetempfile
$ su -
# whoami
root
# get_iplayer --refresh > /tmp/myworsetempfile
# cat /etc/shadow
get_iplayer v2.83, Copyright (C) 2008-2010 Phil Lewis
   This program comes with ABSOLUTELY NO WARRANTY; for details use 
--warranty.
   This is free software, and you are welcome to redistribute it under 
certain
   conditions; use --conditions for details.
<etc>

The only safe way to deal with this is mktemp(1) (and don't run 
get_iplayer as root, though I hope that goes without saying).


-- 
Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
             8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits



More information about the get_iplayer mailing list