[22141] in bugtraq
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
daemon@ATHENA.MIT.EDU (Felipe Franciosi)
Mon Aug 6 17:44:16 2001
Date: Mon, 06 Aug 2001 16:21:41 -0300
From: Felipe Franciosi <franciozzy@terra.com.br>
To: Brian Smith <avalon73@arthurian.nu>
Cc: "Jeremy C. Reed" <reed@reedmedia.net>,
Olaf Bohlen <firefox@is.sun-powered.de>, bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.3.95.1010801203546.5544A-100000@camelot.arthurian.nu>
Message-Id: <20010806161522.ED00.FRANCIOZZY@terra.com.br>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
> It's apparently something that's changed in later versions of Slackware.
> Here's one from my machine, which was originally Slack3.5 (before going
> through several upgrades, of course):
>
> -rw-r--r-- 1 root root 740500 Aug 1 04:03 locatedb
I would like to remind you that old slackware boxes used to have a
huge problem with this ownership of the locate system.
I can't remember exactly on which version it was changed to nobody,
but I do remember of the problem:
The updatedb runs everyday at 4:40 am. It creates temporary files
on /tmp, and the name of these files are a number. The point is
that there were several files created along the process, and the
name of the next file was an increment of the last one.
This would allow any local user to create a symbolic link from any
system file to a file named with an incremented number of the
current temp file... Once it was runned by root, this would basi-
caly append several trash info to the file.
Imagine the destruction if the link was pointed to a hard drive at
/dev, for example. :-)
Switching from root's crontable to nobody's crontable was the so-
lution at the time.
Regards,
Felipe
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Felipe Franciosi paradoxo networking
http://www.paradoxo.org Porto Alegre - RS
Phone: (55)(51) 9806 7387 UIN - 33596050
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
