Bugtraq mailing list archives
Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache
From: scott () Disclosure COM (Scott Barman)
Date: Fri, 25 Aug 1995 12:49:52 -0400
On Thu, 24 Aug 1995, Dr. Frederick B. Cohen wrote:
Joy of joys. After running lsof (the security program identified by the CERT that lists open file) I found the following file: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache This file appears to hold pointers into device files, memory maps, etc. which lsof reads the next time around. It could be very dangerous since lsof normally runs as root. Please tell me I'm wrong and it's not a hazard.
If you installed it right, lsof does not run as root. In fact, on a Sun running SunOS 4.1.3_U1 I have it installed as setgid to kmem. Under SunOS, that's sufficient permissions to allow it to read /dev/kmem. Also, it creates the file as the real user who invoked it when it had to build the cache. If I do an "ls -lg" on the one created here: -rw-rw-rw- 1 scott research 11465 Aug 25 12:37 /tmp/.lsof_dev_cache Both the user and group are correct for my login. Our root is not in group "research." Finally, according to the 00FAQ file in the source directory (and I picked up my copy from CERT, too), the reading of this file has 10 checks for validity. If it fails one of them, then the cache is rebuilt. Amongst the checks is a checksum and checking the information on the file using stat(). Otherwise, it does give you a way to turn this feature off, if you are still unconvinced this is not so much of a problem. I would suggest you RTFF (Read The Fine FAQ) for more information. scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott () disclosure com and I speak only for myself. barman () ix netcom com "Micro$oft and Windoze/NT will be the cause of the de-evolution of network security just as the original PC and BASIC was the cause of the de-evolution of programming."
Current thread:
- Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs) der Mouse (Aug 23)
- Re: DO NOT USE THAT PATCH (Re: IP firewalling bugs) Tom Fitzgerald (Aug 23)
- -rw-rw-rw- 1 root 8025 Aug 24 04:10 Dr. Frederick B. Cohen (Aug 24)
- Security Mailing Lists Christopher Klaus (Dec 09)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Vic Abell (Aug 24)
- .lsof_dev_cache Dave Sill (Aug 25)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Darren Reed (Aug 25)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Dave Roberts (Aug 29)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Vic Abell (Aug 30)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Scott Barman (Aug 25)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Vic Abell (Aug 28)
- [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 [8LGM] Security Team (Aug 28)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Rob J. Nauta (Aug 29)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Jay 'Whip' Grizzard (Aug 29)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Perry E. Metzger (Aug 29)
- SunOS syslog.c replacement Matthew Donaldson (Aug 30)
- [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Mark Thomas (Aug 28)
- Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 Perry E. Metzger (Aug 29)
- syslog() Mark A. Fullmer (Aug 29)