Bugtraq mailing list archives

Re: Publically writable directories

From: wfp5p () tigger itc virginia edu (Bill Pemberton)
Date: Tue, 18 Jun 1996 11:57:48 -0400


Thomas Koenig writes:


When an attacker does

$ ln -s /tmp/some.file /etc/nologin

and has root create /tmp/some.file, the problems are obvious.  Question:
Can this also create security problems for a 'normal' user?


Quite easily.  What about:

ln -s /tmp/some.file /home/blah/.rhosts

If you can get user blah to open /tmp/some.file and put something like + +
in the file (this was the hole with elm).

Or, a simple screw-up-the-user:

ln -s /tmp/some.file /home/blah/.profile



--
Bill Pemberton                           wfp5p () virginia edu
ITC/Unix Systems                         flash () virginia edu
University of Virginia                   uunet!virginia!wfp5p

Current thread:

[linux-security] Big security hole in kerneld's request_route Igor Chudov @ home (Jun 13)
- system() call in suid programs Not Joe (Jan 03)
  - Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
    - Re: system() call in suid programs Max Hailperin (Jun 14)
    - Publically writable directories Thomas Koenig (Jun 16)
    - Re: Publically writable directories Neil Soveran-Charley (Jun 16)
    - Re: Publically writable directories Brian Mitchell (Jun 17)
    - Re: Publically writable directories Thomas Koenig (Jun 18)
    - Re: Publically writable directories Bill Pemberton (Jun 18)
    - Re: Publically writable directories Thomas Koenig (Jun 18)
    - Re: Publically writable directories Bill Pemberton (Jun 17)
    - Re: Publically writable directories David DeSimone (Jun 17)
    - Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)
    - Re: Publically writable directories Michael Dilger (Jun 17)
  - Re: system() call in suid programs Kari E. Hurtta (Jun 14)
- [linux-security] Re: Big security hole in kerneld's request_route Jacques Gelinas (Jun 13)