Bugtraq mailing list archives
Re: Another nice tmp race
From: glynn () SENSEI CO UK (Glynn Clements)
Date: Wed, 28 Oct 1998 11:59:02 +0000
Stefan Laudat wrote:
Playing with my new shiny Slackware 3.5 box I have noticed something unusual. The in.pop3d daemon creates sometimes locks for some mailboxes in /usr/tmp/.pop. The directory is drwxrwxrwt so there will be no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or whatever comes in your head. Be creative.
To clarify matters further: 1. The temp files are open()ed with O_EXCL, so (AFAIK) /usr/tmp/.pop would have to be on an NFS filesystem (or something else which doesn't handle O_EXCL correctly) in order for there to be a race condition. 2. pop3d performs a setuid() to the user who has logged in before the temp files are created, so any files would need to be group writable, for pop3d's gid or supplementary gids. The mailing list address for pop3d is pop3d () scott net. The maintainer is now aware of this issue. -- Glynn Clements <glynn () sensei co uk>
Current thread:
- Re: License Manager's lockfiles (Solaris 2.5.1) Don Lewis (Oct 23)
- Another nice tmp race Stefan Laudat (Oct 21)
- Re: Another nice tmp race Patrick J. Volkerding (Oct 27)
- Re: Another nice tmp race Solar Designer (Oct 27)
- Re: Another nice tmp race Glynn Clements (Oct 28)
- Re: License Manager's lockfiles (Solaris 2.5.1) Casper Dik (Oct 27)
- <Possible follow-ups>
- Re: License Manager's lockfiles (Solaris 2.5.1) Don Lewis (Oct 23)
- Another nice tmp race Stefan Laudat (Oct 21)