[Bug 876108] New: cups /tmp/* symlinks and kernel audit log
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c0 Summary: cups /tmp/* symlinks and kernel audit log Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: koenig@linux.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- 1) cups creates tons of temp symlinks like this one -- it would be nice if they'd be removed after use: ls -l /tmp/52f62e0701fa6 lrwxrwxrwx 1 harald users 24 Feb 8 14:15 /tmp/52f62e0701fa6 -> /etc/cups/ppd/hp4650.ppd 2) there are some (apparmor?) rules which block access as root (not as normal user): ls -lL /tmp/52f62e0701fa6 ls: cannot access /tmp/52f62e0701fa6: Permission denied giving May 2 10:52:19 hl kernel: [307558.514035] type=1702 audit(1399020739.856:1429): op=follow_link ppid=13870 pid=29590 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts2 comm="ls" exe="/usr/bin/ls" res=0 May 2 10:52:19 hl kernel: [307558.514055] type=1302 audit(1399020739.856:1430): item=0 name="/tmp/52f62e0701fa6" inode=1457341 dev=fd:02 mode=0120777 ouid=1000 ogid=100 rdev=00:00 and wc /tmp/52f62db4880d7 wc: /tmp/52f62db4880d7: Permission denied May 2 10:52:22 hl kernel: [307561.238326] type=1702 audit(1399020742.582:1431): op=follow_link ppid=13870 pid=29593 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts2 comm="wc" exe="/usr/bin/wc" res=0 May 2 10:52:22 hl kernel: [307561.238351] type=1302 audit(1399020742.582:1432): item=0 name="/tmp/52f62db4880d7" inode=1457335 dev=fd:02 mode=0120777 ouid=1000 ogid=100 rdev=00:00 May 2 10:52:22 hl kernel: [307561.238381] type=1702 audit(1399020742.582:1433): op=follow_link ppid=13870 pid=29593 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts2 comm="wc" exe="/usr/bin/wc" res=0 May 2 10:52:22 hl kernel: [307561.238399] type=1302 audit(1399020742.582:1434): item=0 name="/tmp/52f62db4880d7" inode=1457335 dev=fd:02 mode=0120777 ouid=1000 ogid=100 rdev=00:00 but normal user can read: wc /tmp/52f62e0701fa6 4965 17867 197531 /tmp/52f62e0701fa6 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c1 Johannes Meixner <jsmeix@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsmeix@suse.com --- Comment #1 from Johannes Meixner <jsmeix@suse.com> 2014-05-02 12:27:29 CEST --- Regarding item 1) "cups creates temp symlinks": Symlinks like /tmp/52f62e0701fa6 -> /etc/cups/ppd/hp4650.ppd are created by applications that call CUPS library functions to get the PPD file for a print queue. The cupsd is not involved here and the CUPS library cannot somehow automatically delete it (library functions return to the caller). It is the application that requested the PPD and accordingly it is the application that must remove it when no longer needed. See http://www.cups.org/documentation.php/doc-1.5/api-cups.html#cupsGetPPD --------------------------------------------------------------------------- cupsGetPPD Get the PPD file for a printer ... The caller "owns" the file that is created and must unlink the returned filename. --------------------------------------------------------------------------- This means you would have to find out what particular applications missed to remove their PPDs when no longer needed and file separated bug reports for each of them (for an example see bnc#338095). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c2 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |security-team@suse.de --- Comment #2 from Marcus Meissner <meissner@suse.com> 2014-05-02 10:58:54 UTC --- it is actually the new kernel symlink protection triggering, and not apparmor. /usr/include/linux/audit.h:#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ Linux Kernel Documentation/sysctl/fs.txt: protected_symlinks: A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp When set to "0", symlink following behavior is unrestricted. When set to "1" symlinks are permitted to be followed only when outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink's owner. This protection is based on the restrictions in Openwall and grsecurity. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|suse-beta@cboltz.de |security-team@suse.de --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> 2014-05-02 13:59:23 CEST --- As Marcus already wrote, this is not related to AppArmor. Therefore I'm assigning to the security team. Feel free to reassign as needed ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c4 Harald Koenig <koenig@linux.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |INVALID --- Comment #4 from Harald Koenig <koenig@linux.de> 2014-05-02 13:20:38 UTC --- (In reply to comment #1)
This means you would have to find out what particular applications missed to remove their PPDs when no longer needed and file separated bug reports for each of them (for an example see bnc#338095).
just for reference: the application in question was/is acroread-9.5.5. it creates 4 symlinks per print-request:-( so obviously this is a non-issue for opensuse... thanks for your help and insights! Harald -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c5 --- Comment #5 from Johannes Meixner <jsmeix@suse.com> 2014-05-02 16:09:39 CEST --- Only FYI: See bnc#547292 "Printing via Adobe Reader leaves four or more identical PPD files in /tmp/ for every print job." -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c Johannes Meixner <jsmeix@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|AppArmor |Other Platform|x86-64 |All Found By|--- |Community User Summary|cups /tmp/* symlinks and |Adobe Reader leaves PPD |kernel audit log |file symlinks in /tmp/ and | |kernel symlink protection OS/Version|Other |openSUSE 13.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com