Bugtraq mailing list archives
Re: Tripwire temporary files
From: Jarno Huuskonen <Jarno.Huuskonen () uku fi>
Date: Tue, 10 Jul 2001 13:20:41 +0300
On Tue, Jul 10, Paul Starzetz wrote:
Jarno Huuskonen wrote:I found out about the problem when I noticed a temporary file /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire binary with strace and noticed that temporary files in /tmp are opened without the O_EXCL flag.Here a strace from tripwire 1.2 (Source RPM: tripwire-1.2-223.src.rpm): open("/tmp/twznG1Eud", O_RDWR|O_CREAT|O_TRUNC, 0666) = 4 open("/tmp/twzd9tWqg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 open("/tmp/twzzykpkj", O_RDWR|O_CREAT, 0600) = 4 nowhere the current pid is used - instead a 6 byte template appears, which is not really predictable (at least shouldn't be!).
So that version of tripwire is not compiled with glibc that uses a letter + pid as the unique/random part. I only mentioned that the binary version of tripwire (2.2.1) avalaible from www.tripwire.com does that. But as you can see it doesn't use O_EXCL so if the 'random' file happens to be a symlink tripwire will overwrite files. -Jarno
Current thread:
- Tripwire temporary files Jarno Huuskonen (Jul 09)
- Re: Tripwire temporary files Charles Stevenson (Jul 10)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 15)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 15)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 16)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 15)
- Re: Tripwire temporary files Charles Stevenson (Jul 10)
- Re: Tripwire temporary files Paul Starzetz (Jul 10)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 10)