Product: mpich Version: 1.2.7 (maybe prior) URL: http://www-unix.mcs.anl.gov/mpi/mpich/ Vulnerability: possible symlink attack Date: June 25th, 2005 Discovered by: nixon * Product: MPICH is a freely available, portable implementation of MPI, the Standard for message-passing libraries. * Possible symlink attack when running programs To run a mpich program, the user normally uses `mpirun'. "Many users of mpich will be using a Beowulf cluster, typically running Linux [...]. The ch_p4 device is one of two devices that are appropriate for Beowulf and other clusters;" "When used with the ch_p4 device, the mpirun program uses a file called a machines file to list the machines or nodes that are available for running mpich programs." That happens in mpirun.pg and mpirun.rand respectively, where the machine names are written to a file $TMPDIR/mpirand.{LOGNAME}$$ or /tmp/mpitemp.${LOGNAME}$$ if $TMPDIR noes not exist in environment and only when $MPIRUN_RANDOM is set to 'yes'. Execution flow: mpirun -> mpirun.ch_p4 -> mpirun.pg -> mpirun.rand An attacker could guess the pid and create a link to another file, with write permissions for the executing user, to let him overwrite it when executing `mpirun'. (see mpirun.pg) if [ "$MPIRUN_RANDOM" = "yes" ] ; then ... # Check to see if TMPDIR is set, if not, use /tmp if [ -n "$TMPDIR" ] ; then TEMPDIR=$TMPDIR else TEMPDIR="/tmp" fi export TEMPDIR ... if [ -x $MPIRUN_HOME/mpirun.rand ] ; then $MPIRUN_HOME/mpirun.rand $machineFile $machines_randFile else chmod +x $MPIRUN_HOME/mpirun.rand $MPIRUN_HOME/mpirun.rand $machineFile $machines_randFile fi (see mpirun.rand) machines_temp="$TEMPDIR/mpitemp-${LOGNAME}$$" ... cat $machinesFile | sed -e '/^#/d' -e 's/#.*^//g' > $machines_temp * Solution It may be better to put the tmp files in a directory only writable by the user. That means to user, do `export TMPDIR=$HOME', but better replace the /tmp with $HOME for instance. - nixon - http://www.excluded.org