2024-04-11 18:36:00

by Yann E. MORIN

[permalink] [raw]
Subject: [oss-security] Re: [Buildroot] [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm

Ben, All,

On 2024-04-11 17:20 +0200, Ben Hutchings via buildroot spake thusly:
> /dev/shm is a world-writable directory, like /tmp, and should also
> have the sticky bit set. Without this, any user can delete and
> replace another user's files in /dev/shm.

Indeed, good catch!

> This bug has been present since /dev/shm was added to the skeleton
> /etc/fstab, but appears to have been fixed for systems using systemd
> by commit 76fc9275f14e "system: separate sysv and systemd parts of the
> skeleton" which went into Buildroot 2017.08.
>
> Signed-off-by: Ben Hutchings <[email protected]>
> Fixes: 22fde22e35f98f7830c2f8955465532328348cd1

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
> package/skeleton-init-sysv/skeleton/etc/fstab | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/skeleton-init-sysv/skeleton/etc/fstab b/package/skeleton-init-sysv/skeleton/etc/fstab
> index 169054b74f..06c20fe9d5 100644
> --- a/package/skeleton-init-sysv/skeleton/etc/fstab
> +++ b/package/skeleton-init-sysv/skeleton/etc/fstab
> @@ -2,7 +2,7 @@
> /dev/root / ext2 rw,noauto 0 1
> proc /proc proc defaults 0 0
> devpts /dev/pts devpts defaults,gid=5,mode=620,ptmxmode=0666 0 0
> -tmpfs /dev/shm tmpfs mode=0777 0 0
> +tmpfs /dev/shm tmpfs mode=1777 0 0
> tmpfs /tmp tmpfs mode=1777 0 0
> tmpfs /run tmpfs mode=0755,nosuid,nodev 0 0
> sysfs /sys sysfs defaults 0 0
> --
> 2.39.2
>
> _______________________________________________
> buildroot mailing list
> [email protected]
> https://lists.buildroot.org/mailman/listinfo/buildroot

--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'