[344] in linux-security and linux-alert archive
elm and /tmp/mbox.*: patch
daemon@ATHENA.MIT.EDU (Lutz Pressler)
Sat Sep 2 09:18:12 1995
Date: Sat, 2 Sep 1995 11:56:22 +0200 (MET DST)
From: Lutz Pressler <Lutz.Pressler@Unix.AMS.Med.Uni-Goettingen.DE>
To: Olaf Kirch <okir@monad.swb.de>
cc: linux-security@tarsier.cv.nrao.edu, BUGTRAQ@CRIMELAB.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
as Olaf Kirch <okir@monad.swb.de> found out, elm (at least 2.4, including
elm-2.4pl24me6) opens it's temporary mbox file in /tmp without checking
for existing symlinks. This can be exploited by a local user: for example
to create an .rhosts file for another account which has none yet - with
valid entries, thus getting access to that account.
The following patch (to be applied in the elm distribution directory)
disables this possibility by changing the temporary mailbox file location
to be .mbox.* in the users' home directory. This prohibits multiple elm
sessions on different hosts with shared home dir, but as in this case the
mail spool is probably shared, too, this should not be a problem.
It seems that the other files sometimes created by elm in /tmp are not
so problematic. I haven't checked this thoroughly yet though.
Regards,
Lutz
Patch follows (remove PGPs "- " !):
*** hdrs/sysdefs.SH.orig Sat Sep 2 11:06:35 1995
- --- hdrs/sysdefs.SH Sat Sep 2 11:33:53 1995
***************
*** 94,100 ****
#define default_temp "$tmpdir/"
#define temp_file "snd."
#define temp_form_file "form."
! #define temp_mbox "mbox."
#define temp_print "print."
#define temp_edit "elm-edit"
#define temp_uuname "uuname."
- --- 94,100 ----
#define default_temp "$tmpdir/"
#define temp_file "snd."
#define temp_form_file "form."
! #define temp_mbox ".mbox."
#define temp_print "print."
#define temp_edit "elm-edit"
#define temp_uuname "uuname."
*** src/newmbox.c.orig Sat Sep 2 11:07:26 1995
- --- src/newmbox.c Sat Sep 2 11:34:31 1995
***************
*** 374,380 ****
char *cp;
! sprintf(tempfn, "%s%s", default_temp, temp_mbox);
if((cp = rindex(mbox, '/')) != NULL) {
cp++;
if (strcmp(cp, "mbox") == 0 || strcmp(cp, "mailbox") == 0 ||
- --- 374,380 ----
char *cp;
! sprintf(tempfn, "%s/%s", home, temp_mbox);
if((cp = rindex(mbox, '/')) != NULL) {
cp++;
if (strcmp(cp, "mbox") == 0 || strcmp(cp, "mailbox") == 0 ||
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMEgqGE8rRJEuvpUdAQGQKAP9H2UXf3CbyC5/fZifAV9OzKoR6eGEwloA
H/8+OJEfpwOacYCpcoi4Njkaj2bEzjlyRxzDnz0VBFPdurxvFsN2cM9qMAN2tvNZ
qnP73hXFkLsi/ga8mmuVYeYgzoZJZOzPKSgA7SvtV8aD8WR/IK9Ze56beei5BIEx
jlwv9TGpI7A=
=82WU
-----END PGP SIGNATURE-----
--
Lutz Pre"sler <URL:http://www.AMS.Med.Uni-Goettingen.DE/~lpressl1/>
Systemverwaltung -- Abt. Medizinische Statistik, Universit"at G"ottingen
Humboldtallee 32, D-37073 G"ottingen, Tel.: +49(0551) 39-9774 FAX: -4995
<Lutz.Pressler@AMS.Med.Uni-Goettingen.DE> [PGP-key:WWW&Keyserver] IRC:lp
