Sniff plaintext password written in /tmp directory

Question

I was recently reading about Ansible and the way it manages the sudo passwords. More specifically:

When using become_user to a user other than root, the module arguments are briefly written into a random tempfile in /tmp. These are deleted immediately after the command is executed. This only occurs when changing privileges from a user like ‘bob’ to ‘timmy’, not when going from ‘bob’ to ‘root’, or logging in directly as ‘bob’ or ‘root’. If it concerns you that this data is briefly readable (not writable), avoid transferring unencrypted passwords with become_user set. In other cases, /tmp is not used and this does not come into play. Ansible also takes care to not log password parameters.

Isn't this a security risk? Could a non-privileged user write a watchdog script that sniffs the contents of newly created files in the /tmp directory?

Answer 1

A possible attacker can also use the inotify mechanism of the linux kernel to track the filesystem events in the /tmp directory.

If a new file is created, create also a hard link to this file. It will result that the file will still exist on the hard drive, even after the attacked software thinks it was already deleted.

This is an event-oriented solution, which happens on the spot after the file creation, it is invisible for the attacked software, and getting the event and creating the link takes only 2 kernel calls. It is faster as anything what the attacked software can do.

The required code is around 30 lines in C. Most rootkits probably contain this feature, but in a non-hardened environment you don't need root for that.

Answer 2

Yes, if you knew the name of the file being written you could write a simple loop to rapidly attempt a read on the file. If the file name is random then you would either need to figure out the algorithm that the software is using to derive the file name or attempt to quickly stat and then copy or read files in /tmp.

If you could force the software to perform this operation in succession then it comes down to a race condition between forcing the action and reading the file. This would increase the likelihood of success.