[6508] in bugtraq
Re: MGE UPS Systems
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Mon Apr 13 18:48:26 1998
Date: Mon, 13 Apr 1998 10:06:58 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: rmurray@lightspeed.bc.ca
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sun, 12 Apr 1998 23:46:39 PDT."
<19980412234639.A18435@straylight>
> If you are running the software, you may want to clear /tmp at boot, at least
> for the lock files. Otherwise any user can turn any file on the system to 0
> bytes.
I should probably point out that methods like "clearing /tmp at boot
time" do not neccessarily work.
In particular, in many systems one can use the system bootup
procedures to run processes on behalf of a regular user, which could
then create files or symbolic links to play other games to exploit a
problem. Two examples follow:
1) cron is started early. In particular, Vixie cron has a feature not
a lot of people know about called @reboot. Since cron is started early
and starts pushing jobs through, this permits a user to run processes
of his choice while /etc/rc is still executing. With non-vixie versions
of cron this is harder, but I bet it's still doable.
2) Some /etc/rc scripts execute sendmail's to deliver vipreserve
information. A nice little .forward... can therefore run at the same
time as /etc/rc.
In OpenBSD's case, we considered this issue to be even more serious
since random users could run programs of their choice before the
kernel securelevel (see init(8)) has been changed. To avoid that
issue we had to change the order of several things in /etc/rc*...
