Bugtraq mailing list archives
Re: request-route
From: hzoli () FRONTIERNET NET (Zoltan Hidvegi)
Date: Tue, 29 Jul 1997 01:16:42 -0400
Ariel Biener wrote: [...]
/sbin/request-route is a script. So, the script can be fixed to check for the lock file, or whatever other security check are needed. No need to just go and remove before finding a suitable solution. A simple solution would be to add a: set -o noclobber In the script, right here: sleep 60 & sleepid=$! ---> set -o noclobber echo $sleepid > $LOCK wait $sleepid
Unfortunately this is still not enough. The problem is that many (if not most) shells do not implement noclobber in a race-free way, but even if they do, noclobber still allows writing to device special files, so a symlink to /dev/hda will be followed by the shell destroying your master boot record. As far as I know, there is no portable way to safely create lock files in a world-writable directory from a bourne-shell script. If the script runs as root (as it is the case with request-route), it is enough to put the lockfile in a directory writable only by root. Debian uses /var/run for the request-route lockfile. Zoltan
Current thread:
- Re: CPSR 7: IRIX WWW Server Thomas Walter (Jul 24)
- Re: CPSR 7: IRIX WWW Server Aaron Bornstein (Jul 24)
- Security hole in mgetty+sendfax Gert Doering (Jul 24)
- BIND Nuking Aveek Datta (Jul 24)
- Re: BIND Nuking Thomas H. Ptacek (Jul 29)
- ANNOUNCE: inn-1.5.1sec (fwd) Christopher Samuel (Jul 30)
- Re: Security hole in mgetty+sendfax Gert Doering (Jul 25)
- BIND Nuking Nicolas Dubee (Jul 25)
- Re: your mail Ariel Biener (Jul 25)
- Re: request-route Zoltan Hidvegi (Jul 28)
- Re: request-route Eric Bennett (Jul 29)
- Re: request-route John Macdonald (Jul 29)
- Re: request-route Kragen Sitaker (Jul 30)
- Re: request-route John Macdonald (Jul 31)
- perl fingerd stupidity Chris Terry (Jul 31)
- HP Security Bulletins Digest Aleph One (Jul 31)
- BIND Nuking Aveek Datta (Jul 24)
- Re: request-route Mihai SANDU (Jul 26)
- Netspace Singapore Privacy Bug Aleph One (Jul 26)
- Re: your mail Alan Cox (Jul 27)