Bugtraq mailing list archives
Re: Xinetd /tmp race?
From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Sat, 14 Nov 1998 00:12:53 +0100
On Fri, 13 Nov 1998, Marc Heuse wrote:
+ dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ; + if ( dump_fd == -1 ) + { + if ( lstat( dump_file, &stat) != 0) + { + msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ; + return ; + } + if (stat.st_uid != getuid()) + { + msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ; + return ; + } + dump_fd = open( dump_file, O_WRONLY + O_APPEND) ; + }
ln /etc/passwd /tmp/whatever_the_filename_was I wonder whether my first message suggesting to create a file under a randomized filename (with mkstemp() for instance) and rename (which should be safer) ended into Aleph1's /dev/null ;) strcpy(tmp_filename, "/path/blahXXXXXX"); dump_fd = mkstemp(tmp_filename); if (dump_fd != -1) { if (rename(tmp_filename, real_filename) == -1) { save_errno = errno; close(dump_fd); dump_fd = -1; unlink(tmp_filename); errno = save_errno; } } (of course, one must be careful not to introduce a buffer overrun during tmp_filename construction) --Pavel Kankovsky aka Peak [ Boycott Czech Telecom--http://www.bojkot.cz ] "spt Telecom... ted zdrazujeme zitrek!" [ Engl. lang. info-- .../english/ ]
Current thread:
- SCO World Script Vulnerabilities, (continued)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)
- Re: SCO World Script Vulnerabilities Joe (Nov 12)
- WARNING: Another ICQ IP address vulnerability Mnemonix (Nov 11)
- Citadel security exploits? Stout, Bill (Nov 11)
- Re: Xinetd /tmp race? Wayne Schroeder (Nov 11)
- Re: Xinetd /tmp race? Glynn Clements (Nov 11)
- Re: Xinetd /tmp race? Jesús Cea Avión (Nov 12)
- Re: Xinetd /tmp race? Glynn Clements (Nov 12)
- Re: Xinetd /tmp race? Casper Dik (Nov 14)
- Re: Xinetd /tmp race? Marc Heuse (Nov 13)
- Re: Xinetd /tmp race? Pavel Kankovsky (Nov 13)
- Re: Xinetd /tmp race? stanislav shalunov (Nov 13)
- Re: Xinetd /tmp race? Kevin Vajk (Nov 14)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)