[2081] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Insecure /tmp handling in isdnlog

daemon@ATHENA.MIT.EDU (dentoir)
Wed Oct 21 03:07:23 1998

Date: Wed, 21 Oct 1998 02:58:31 +0200 (MET DST)
From: dentoir <edtx@xs4all.nl>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

The isdnlog program (provided by isdn4k-utils.tar.gz) creates a
root-owned temp file called /tmp/isdnctrl (or /tmp/isdnctrl0) and
no checking for symbolic links is done. The file is opened append only,
a user can make a symbolic from /tmp/isdnctrl to any file and mess
things up.

example: ln -s /var/spool/mail/root /tmp/isdnctrl

-- dentoir
Fart Foundation
Security through immaturity

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post