[883] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] wordperfect for linux

daemon@ATHENA.MIT.EDU (Jeffrey J. Radice)
Tue Jul 9 18:19:18 1996

From: jjr@zilker.net (Jeffrey J. Radice)
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 8 Jul 1996 22:57:20 -0500 (CDT)


Am I paranoid, or is this potentially a problem:

WordPerfect for Linux maintains state information in /tmp/wp-{hostname}.
All the files in that directory are mode 666.  If I run wordperfect as
root (don't know why I would, but let's presume) ...

Observe:

/tmp>ls -al wpc-suzi/
total 7
drwxrwxrwx   2 root     friends      1024 Jul  8 22:33 ./
drwxrwxrwt   5 root     wheel        2048 Jul  8 22:33 ../
-rw-rw-rw-   1 root     friends       324 Jul  8 22:33 .wpexc60.man
-rw-rw-rw-   1 root     friends         0 Jul  8 22:33 _W60_0000026462a_
prw-rw-rw-   1 root     friends         0 Jul  8 22:33 excmsg60|
-rw-rw-rw-   1 root     friends       148 Jul  8 22:33 unix60.def
-rw-rw-rw-   1 root     friends        65 Jul  8 22:33 wpq60_0
-rw-rw-rw-   1 root     friends        65 Jul  8 22:33 wpq60_65535

Now even if I ran WP as myself, that would potentially leave world writable
files, owned by me, lying around.  Actually some of these files don't change
from one run to the next, so if I installed WP as root, which is necessary,
and then tested it before logging out of a root shell (presuming lack of
sudo), there would be root-owned world-writable files in /tmp until it
was cleaned out.  Seems dangerous to me, though I'm not sure how to exploit
it outside of changing one of those to a script and hoping that it is run.

-jjr

home help back first fref pref prev next nref lref last post