[21443] in bugtraq
Re: Tripwire temporary files
daemon@ATHENA.MIT.EDU (Jarno Huuskonen)
Tue Jul 10 11:02:31 2001
Date: Tue, 10 Jul 2001 13:20:41 +0300
From: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
To: Paul Starzetz <paul@starzetz.de>
Cc: bugtraq@securityfocus.com
Message-ID: <20010710132041.C38666@messi.uku.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B4AC732.1EE59E6E@starzetz.de>; from paul@starzetz.de on Tue, Jul 10, 2001 at 11:13:22AM +0200
On Tue, Jul 10, Paul Starzetz wrote:
> Jarno Huuskonen wrote:
>
> > I found out about the problem when I noticed a temporary file
> > /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire
> > binary with strace and noticed that temporary files in /tmp are opened
> > without the O_EXCL flag.
>
> Here a strace from tripwire 1.2 (Source RPM: tripwire-1.2-223.src.rpm):
>
> open("/tmp/twznG1Eud", O_RDWR|O_CREAT|O_TRUNC, 0666) = 4
> open("/tmp/twzd9tWqg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
> open("/tmp/twzzykpkj", O_RDWR|O_CREAT, 0600) = 4
>
> nowhere the current pid is used - instead a 6 byte template appears,
> which is not really predictable (at least shouldn't be!).
So that version of tripwire is not compiled with glibc that uses a
letter + pid as the unique/random part. I only mentioned that the binary
version of tripwire (2.2.1) avalaible from www.tripwire.com does that.
But as you can see it doesn't use O_EXCL so if the 'random' file happens
to be a symlink tripwire will overwrite files.
-Jarno
