[6307] in bugtraq
Re: /tmp event logger
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Sun Mar 15 15:05:18 1998
Date: Sun, 15 Mar 1998 11:06:30 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sat, 14 Mar 1998 13:09:02 +0100."
<01bd4f41$fb13f6a0$LocalHost@LCAMTUF>
> Due to excessive amount of /tmp races reported last months, here's
> /tmp event logger. This simple and small program logs file activity
> in given directory, giving clear, reusable, space-saving format
> (including operation, filename, uid/gid, file type, permissions,
> current time). It's very useful when you're looking for possible
> vunerabilities, or trying to trace attacks.
Many of you have source to the operating systems and tools you run.
I like to make a strong recommendation for source-level audits as the
best way to find these problems. And while you are there you can fix
them too, and then tell the maintainers of the packages; not just
For instance, all programs compiled with GNU f77 have 2 mktemp races.
It's in the source. I just contacted the maintainer of the package;
he didn't appear to have any idea what a /tmp race is. This is going
to be extremely common. So those who care about this issue should
start auditing code, and then telling the authors of these systems
that such problems are unacceptable. Try to give them patches. Push
hard to get these things fixed.
