From 87b34352fb54e97a6676b0390136364bf26a417f Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 28 Jun 2004 17:58:24 +0000 Subject: [PATCH] Update for Shorewall 2.0.3a: git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1415 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE2/changelog.txt | 2 + STABLE2/fallback.sh | 2 +- STABLE2/firewall | 63 ++++++++++++++++------------- STABLE2/functions | 86 ++++++++++++++++++++++++++++++++++++++++ STABLE2/install.sh | 2 +- STABLE2/releasenotes.txt | 9 +++-- STABLE2/shorewall | 27 ++++++++----- STABLE2/shorewall.spec | 4 +- STABLE2/uninstall.sh | 2 +- 9 files changed, 153 insertions(+), 44 deletions(-) diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index 5ab89b4a7..6efec2b36 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -36,3 +36,5 @@ Changes since 2.0.2 16) Pass INVALID icmp packets through the blacklisting chains. 17) Fix bogus code in process_tc_rule() + +18) Fix security vulnerability involving temporary files/directories. diff --git a/STABLE2/fallback.sh b/STABLE2/fallback.sh index bb10417a4..a82ccb0a1 100755 --- a/STABLE2/fallback.sh +++ b/STABLE2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.3 +VERSION=2.0.3a usage() # $1 = exit status { diff --git a/STABLE2/firewall b/STABLE2/firewall index 26b5296ce..746ae7d6c 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -82,7 +82,7 @@ startup_error() # $* = Error Message echo " Error: $@" >&2 my_mutex_off [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - rm -f /var/lib/shorewall/restore-$$ + [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE kill $$ exit 2 } @@ -96,22 +96,22 @@ report () { # $* = message } # -# Write the passed args to /var/lib/shorewall/restore-$$ +# Write the passed args to $RESTOREBASE # save_command() { - echo "$@" >> /var/lib/shorewall/restore-$$ + echo "$@" >> $RESTOREBASE } # -# Write a progress_message command to /var/lib/shorewall/restore-$$ +# Write a progress_message command to $RESTOREBASE # save_progress_message() { - echo >> /var/lib/shorewall/restore-$$ - echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$ - echo >> /var/lib/shorewall/restore-$$ + echo >> $RESTOREBASE + echo "progress_message \"$@\"" >> $RESTOREBASE + echo >> $RESTOREBASE } # @@ -122,7 +122,7 @@ save_progress_message() # run_and_save_command() { - echo "$@" >> /var/lib/shorewall/restore-$$ + echo "$@" >> $RESTOREBASE eval $* } @@ -132,19 +132,19 @@ run_and_save_command() ensure_and_save_command() { if eval $* ; then - echo "$@" >> /var/lib/shorewall/restore-$$ + echo "$@" >> $RESTOREBASE else [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } # -# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$ +# Append a file in $STATEDIR to $RESTOREBASE # append_file() # $1 = File Name { save_command "cat > $STATEDIR/$1 << __EOF__" - cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ + cat $STATEDIR/$1 >> $RESTOREBASE save_command __EOF__ } @@ -1237,7 +1237,7 @@ stop_firewall() { # Turn off trace unless we were tracing "stop" or "clear" # - rm -f /var/lib/shorewall/restore-$$ + [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE case $COMMAND in stop|clear) @@ -1380,8 +1380,6 @@ stop_firewall() { # else. Remove the lock file and Kill the shell in case we're in a # subshell # - rm -f /var/lib/shorewall/restore-$$ - my_mutex_off kill $$ ;; @@ -2372,7 +2370,7 @@ check_config() { process_actions2 rm -rf $TMP_DIR - rm -f /var/lib/shorewall/restore-$$ + [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE echo "Configuration Validated" @@ -5513,9 +5511,13 @@ define_firewall() # $1 = Command (Start or Restart) verify_os_version verify_ip - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall + [ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; } - echo '#bin/sh' > /var/lib/shorewall/restore-$$ + RESTOREBASE=$(mktempfile /var/lib/shorewall) + + [ -n "$RESTOREBASE" ] || fatal_error "Cannot create temporary file in /var/lib/shorewall" + + echo '#bin/sh' >> $RESTOREBASE save_command "#" save_command "# Restore base file generated by Shorewall $version - $(date)" save_command "#" @@ -5582,7 +5584,7 @@ define_firewall() # $1 = Command (Start or Restart) # 'shorewall save' appends the iptables-save output and '__EOF__' - mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base + mv -f $RESTOREBASE /var/lib/shorewall/restore-base } @@ -6004,6 +6006,8 @@ do_initialize() { DISABLE_IPV6= BRIDGING= DYNAMIC_ZONES= + RESTOREBASE= + TMP_DIR= stopping= have_mutex= @@ -6011,13 +6015,6 @@ do_initialize() { nonat_seq=1 aliases_to_add= - TMP_DIR=/tmp/shorewall-$$ - rm -rf $TMP_DIR - mkdir -p $TMP_DIR && chmod 700 $TMP_DIR || \ - startup_error "Can't create $TMP_DIR" - - trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - FUNCTIONS=$SHARED_DIR/functions if [ -f $FUNCTIONS ]; then @@ -6027,6 +6024,13 @@ do_initialize() { startup_error "$FUNCTIONS does not exist!" fi + TMP_DIR=$(mktempdir) + + [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ + startup_error "Can't create a temporary directory" + + trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 + ensure_config_path VERSION_FILE=$SHARED_DIR/version @@ -6038,8 +6042,13 @@ do_initialize() { config=$(find_file shorewall.conf) if [ -f $config ]; then - [ -n "$QUIET" ] || echo "Processing $config..." - . $config + if [ -r $config ]; then + [ -n "$QUIET" ] || echo "Processing $config..." + . $config + else + echo " ERROR: Cannot read $config (Hint: Are you root?)" + exit 2 + fi else echo "$config does not exist!" >&2 exit 2 diff --git a/STABLE2/functions b/STABLE2/functions index 443cd2c2a..e8aa7d942 100755 --- a/STABLE2/functions +++ b/STABLE2/functions @@ -336,6 +336,92 @@ mutex_off() rm -f $STATEDIR/lock } +# +# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: +# +# None - No mktemp +# BSD - BSD mktemp (Mandrake) +# STD - mktemp.org mktemp +# +find_mktemp() { + local mktemp=`which mktemp 2> /dev/null` + + if [ -n "$mktemp" ]; then + if qt mktemp -V ; then + MKTEMP=STD + else + MKTEMP=BSD + fi + else + MKTEMP=None + fi +} + +# +# create a temporary file. If a directory name is passed, the file will be created in +# that directory. Otherwise, it will be created in a temporary directory. +# +mktempfile() { + + [ -z "$MKTEMP" ] && find_mktemp + + if [ $# -gt 0 ]; then + case "$MKTEMP" in + BSD) + mktemp $1/shorewall.XXXXXX + ;; + STD) + mktemp -p $1 shorewall.XXXXXX + ;; + None) + mkdir $1/shorewall-$$ && echo $1/shorewall-$$ + ;; + *) + echo " ERROR:Internal error in mktempfile" + ;; + esac + else + case "$MKTEMP" in + BSD) + mktemp /tmp/shorewall.XXXXXX + ;; + STD) + mktemp -t shorewall.XXXXXX + ;; + None) + rm -f /tmp/shorewall-$$ + > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + ;; + *) + echo " ERROR:Internal error in mktempfile" + ;; + esac + fi +} + +# +# create a temporary directory +# +mktempdir() { + + [ -z "$MKTEMP" ] && find_mktemp + + case "$MKTEMP" in + BSD) + mktemp -d /tmp/shorewall.XXXXXX + ;; + STD) + mktemp -td shorewall.XXXXXX + ;; + None) + mkdir /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + ;; + *) + echo " ERROR:Internal error in mktempdir" + ;; + esac +} + # # Read a file and handle "INCLUDE" directives # diff --git a/STABLE2/install.sh b/STABLE2/install.sh index 90321b5ea..76cb77d13 100755 --- a/STABLE2/install.sh +++ b/STABLE2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.3 +VERSION=2.0.3a usage() # $1 = exit status { diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 0df160bb5..e987cbd4b 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -44,10 +44,13 @@ Problems Corrected since 2.0.2 not possible to blacklist hosts that are mounting certain types of ICMP-based DOS attacks. -Problems corrected since 2.0.3: +Problems Corrected since 2.0.3 -1) Non-empty entries in the /etc/shorewall/tcrules DEST column - generated an error message and Shorewall failed to start. +1) A non-empty DEST entry in /etc/shorewall/tcrules will generate an + error and Shorewall fails to start. + +2) A potential security vulnerablilty in the way that Shorewall + handles temporary files and directories has been corrected. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: diff --git a/STABLE2/shorewall b/STABLE2/shorewall index f4172bb7c..cc75ed19d 100755 --- a/STABLE2/shorewall +++ b/STABLE2/shorewall @@ -115,7 +115,7 @@ showfirstchain() # $1 = name of chain /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ /Chain '$1'/ { prnt=1; }; \ { if (prnt == 1) print; };\ - END { exit rslt; }' /tmp/chains-$$ + END { exit rslt; }' $TMPFILE } showchain() # $1 = name of chain @@ -130,7 +130,7 @@ showchain() # $1 = name of chain /^$|^ pkts/ { next; };\ /^Chain/ {if ( prnt == 1 ) exit; };\ /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' /tmp/chains-$$ + { if (prnt == 1) print; }' $TMPFILE fi } @@ -202,7 +202,10 @@ display_chains() # Send the output to a temporary file since ash craps if we try to store # the output in a variable. # - iptables -L $IPT_OPTIONS > /tmp/chains-$$ + TMPFILE=$(mktempfile) + [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } + + iptables -L $IPT_OPTIONS >> $TMPFILE clear echo "$banner $(date)" @@ -223,7 +226,7 @@ display_chains() echo "Input Chains" echo - chains=$(grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2) + chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2) for chain in $chains; do showchain $chain @@ -233,7 +236,7 @@ display_chains() for zone in $zones; do - if [ -n "$(grep "^Chain \.*${zone}" /tmp/chains-$$)" ] ; then + if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then clear echo "$banner $(date)" echo @@ -283,7 +286,7 @@ display_chains() showchain dynamic timed_read - qt rm -f /tmp/chains-$$ + qt rm -f $TMPFILE else iptables -L -n -v timed_read @@ -399,8 +402,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that if qt which awk; then - TMP_DIR=/tmp/shorewall-$$ - mkdir $TMP_DIR + TMP_DIR=$(mktempdir) + [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; } haveawk=Yes determine_zones rm -rf $TMP_DIR @@ -699,7 +702,12 @@ ensure_config_path config=$(find_file shorewall.conf) if [ -f $config ]; then - . $config + if [ -r $config ]; then + . $config + else + echo "Cannot read $config! (Hint: Are you root?)" >&2 + exit 1 + fi else echo "$config does not exist!" >&2 exit 2 @@ -733,7 +741,6 @@ fi banner="Shorewall-$version Status at $HOSTNAME -" - case $(echo -e) in -e*) RING_BELL="echo \a" diff --git a/STABLE2/shorewall.spec b/STABLE2/shorewall.spec index 89239ab45..8103beb25 100644 --- a/STABLE2/shorewall.spec +++ b/STABLE2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.0.3 +%define version 2.0.3a %define release 1 %define prefix /usr @@ -141,6 +141,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Jun 28 2004 Tom Eastep tom@shorewall.net +- Updated to 2.0.2a-1 * Wed Jun 23 2004 Tom Eastep tom@shorewall.net - Updated to 2.0.2-1 * Sat Jun 19 2004 Tom Eastep tom@shorewall.net diff --git a/STABLE2/uninstall.sh b/STABLE2/uninstall.sh index 1a1c746e8..6f5683198 100755 --- a/STABLE2/uninstall.sh +++ b/STABLE2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.3 +VERSION=2.0.3a usage() # $1 = exit status {