[361] in linux-security and linux-alert archive
Re: elm and /tmp/mbox.*
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Tue Sep 12 18:59:35 1995
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: ts@papaja.wroc.apk.net (Tomasz Surmacz)
Date: Tue, 12 Sep 1995 10:56:53 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199509102112.XAA00550@papaja.wroc.apk.net> from "Tomasz Surmacz" at Sep 10, 95 11:12:04 pm
Tomasz Surmacz:
> No. The .rhosts file is just *one* quick method of getting into user's
> account. If he has .rhosts file already you can attack him using
> thousands of other methods, provided you can create arbitrary files in
> user's home directory (.cshrc, .profile, .login, .logout (how many of
> you have a .logout file?)). Other choices are countless - it is
> impossible to thing of just everything. The only way is to correct this
> misbehaviour at the source - the elm program in this case.
This is a more general problem. Any program creating files in /tmp (not
just elm) can cause the same problem if someone knows the name of temp
file in advance and creates a symlink under that name. It would be nice
to have a way to prevent creating symlinks in /tmp. The setuid bit on
directories is not used for anything - maybe it could be used for that?
If it is set, no one except root and the owner of the directory can
create symlinks in it. This works even for very old programs which
don't know anything about symlinks and lstat(). It shouldn't be too
hard to implement in the kernel. Comments?
Does anyone know what elvis (/usr/bin/vi on most Linux systems) does
when creating its temp files? It may have the same problem...
Marek
[mod: elvis (and nvi) use the pid appended to a fixed basename. Same goes
for elm when composing mail, countless shell scripts, and probably
many more. It seems more and more unlikely to me that the `safe open'
really flies as long as scripts do a `cat > $TMPDIR/art$$'.
--okir]
