[8205] in bugtraq
/tmp race in mc-4.5.0
daemon@ATHENA.MIT.EDU (Pavel Machek)
Wed Oct 14 13:47:36 1998
Date: Tue, 13 Oct 1998 00:41:04 +0200
Reply-To: Pavel Machek <pavel@BUG.UCW.CZ>
From: Pavel Machek <pavel@BUG.UCW.CZ>
X-To: Adrian Voinea <root@DEATH.GDS.RO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <203602070631.IAA08677@Death.GdS.RO>; from Adrian Voinea on Thu,
Feb 07, 2036 at 08:31:37AM +0200
Hi!
> mc 4.5.0 creates a temporary file in /tmp when it's started.
> It's called talk.fish and has the mode 644. If a user would link the
> file to /etc/passwd or anything else, when the root would start mc, the
> file would be erased.
It was me who added talk.fish file (and it kind of escaped me, sorry),
it is debugging hack and it is currently disabled in my tree (and
CVS). Workaround is:
create /tmp/talk.fish yourself, so that noone can put symlink there
solution is: do not run beta software as root, 4.0.X is stable, 4.5.0
is not.
Pavel
PS: There are more /tmp/ holes in midnight commander, beware. Extfs
scripts contain some. I'm going to mark them FIXME: TMP RACE in
development tree. What is worse, they are probably going to
stay there until someone invents safe & portable way of how to work
with temporary files from shell.
(Actually, is this safe? It might be safe & portable, unfortunately,
it is also slow & ugly)
TMPDIR=/tmp/mctmpdir.$$
mkdir $TMPDIR || exit 0
cd $TMPDIR
do_something > $TMPDIR/file
rm $TMPDIR/file
rmdir $TMPDIR
?
PPS: It might be nice to contact authors of affected program few days
before you post to bugtraq...
--
I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
