[883] in linux-security and linux-alert archive
[linux-security] wordperfect for linux
daemon@ATHENA.MIT.EDU (Jeffrey J. Radice)
Tue Jul 9 18:19:18 1996
From: jjr@zilker.net (Jeffrey J. Radice)
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 8 Jul 1996 22:57:20 -0500 (CDT)
Am I paranoid, or is this potentially a problem:
WordPerfect for Linux maintains state information in /tmp/wp-{hostname}.
All the files in that directory are mode 666. If I run wordperfect as
root (don't know why I would, but let's presume) ...
Observe:
/tmp>ls -al wpc-suzi/
total 7
drwxrwxrwx 2 root friends 1024 Jul 8 22:33 ./
drwxrwxrwt 5 root wheel 2048 Jul 8 22:33 ../
-rw-rw-rw- 1 root friends 324 Jul 8 22:33 .wpexc60.man
-rw-rw-rw- 1 root friends 0 Jul 8 22:33 _W60_0000026462a_
prw-rw-rw- 1 root friends 0 Jul 8 22:33 excmsg60|
-rw-rw-rw- 1 root friends 148 Jul 8 22:33 unix60.def
-rw-rw-rw- 1 root friends 65 Jul 8 22:33 wpq60_0
-rw-rw-rw- 1 root friends 65 Jul 8 22:33 wpq60_65535
Now even if I ran WP as myself, that would potentially leave world writable
files, owned by me, lying around. Actually some of these files don't change
from one run to the next, so if I installed WP as root, which is necessary,
and then tested it before logging out of a root shell (presuming lack of
sudo), there would be root-owned world-writable files in /tmp until it
was cleaned out. Seems dangerous to me, though I'm not sure how to exploit
it outside of changing one of those to a script and hoping that it is run.
-jjr