Bugtraq mailing list archives
Re: overwrite any file with updatedb
From: bandregg () REDHAT COM (Bryan Andregg)
Date: Mon, 2 Mar 1998 19:11:37 -0500
On Sun, 1 Mar 1998 22:44:11 -0500, Cain wrote:
If this is already known, my apologies. It seemed very strange that this worked, so I thought it would be mentionable. On many linux systems(Redhat imparticularly) updatedb is run nightly around 1:00. When it sorts the files that find gets, it creats a few files in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The first file is created and filled, then if necassary, another is created and so on until it has your whole filesystem into a nice database. Well, once the first file is created you can easily guess what the next filename will be called as only the last character will change. If you create a link to say, the shadow password file, updatedb will kindly overwrite it for you. Ex:
It should be pointed out that on Red Hat 4.2 and 5.0 updatedb runs as user nobody by default. This is not a security issue unless you are running a distribution at least a year old. We will be checking for the proper use of temp files in the source also. -- Bryan C. Andregg * <bandregg () redhat com> * Red Hat Software "Donnie were much more 'user-friendly'. May be you selective about friends:-)" -- Levente Farkas "Hey, wait a minute, you clowns are on dope!" -- Owen Cheese in 'Shakes the Clown'
Current thread:
- overwrite any file with updatedb Cain (Mar 01)
- Re: overwrite any file with updatedb Kragen (Mar 02)
- Re: overwrite any file with updatedb Kragen (Mar 02)
- Re: overwrite any file with updatedb Dave G. (Mar 02)
- Re: overwrite any file with updatedb Jeff Murphy (Mar 02)
- Re: overwrite any file with updatedb Bryan Andregg (Mar 02)
- updatedb stuff Cain (Mar 02)