[20445] in bugtraq
Re: Linux patches to solve /tmp race problem
daemon@ATHENA.MIT.EDU (Valdis Kletnieks)
Thu Apr 26 01:18:18 2001
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1907704705P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Message-ID: <200104251558.f3PFwnN10445@foo-bar-baz.cc.vt.edu>
Date: Wed, 25 Apr 2001 11:58:49 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
X-To: matthew@datadeliverance.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 26 Apr 2001 01:14:18 +0930."
<15078.61650.196935.160361@localhost.localdomain>
--==_Exmh_1907704705P
Content-Type: text/plain; charset=us-ascii
On Thu, 26 Apr 2001 01:14:18 +0930, matthew@datadeliverance.com said:
> I see your point about buffer overflows, but I'm not sure that the same
> applies to /tmp races: maybe I'm missing something, but my perception of the
> the essence of /tmp races is this: someone sticks a symlink in /tmp just
> before a privileged user (e.g. root) is about to create a file with that
> name. Privileged user doesn't check properly, and writes stuff to the
> file the non-privileged user selected.
Wasn't there a *LONG* thread a while ago about how to properly clean a /tmp
on a *secure* regular basis? (the problem being that a malicious user could
drop something into /tmp that ended up causing the /tmp cleaner to clean
the wrong thing....)
Remember - there's *two* race conditions - one for creating a file (causing
the victim to create a file other than where he thought), and one for
de-referencing a filename (causing the victim to read an existing file other
than the one he intended). /tmp cleaners are in the second category....
Of course, there's still people out there getting burnt by a simple
find /tmp -mtime -7 -type f | xargs rm
Lots of joy to be found here - (like this:
mkdir /tmp/foo\n; touch /tmp/foo\n/vmunix
Wait a week,and watch the next reboot fail. Note that *this* little
gem will work even with separate per-user /tmp directories - this is
why GNU find/xargs have a -0 option.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_1907704705P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOub0OXAt5Vm009ewEQLPmACbB/os3Y1tBTuJkmwVeu7630u99mAAnj1f
x3aCl18qYYhQ3CV6wlFf+tb7
=/6Fi
-----END PGP SIGNATURE-----
--==_Exmh_1907704705P--
