[8334] in bugtraq
Re: Another nice tmp race
daemon@ATHENA.MIT.EDU (Glynn Clements)
Wed Oct 28 17:58:40 1998
Date: Wed, 28 Oct 1998 11:59:02 +0000
Reply-To: Glynn Clements <glynn@SENSEI.CO.UK>
From: Glynn Clements <glynn@SENSEI.CO.UK>
X-To: Stefan Laudat <stefan@ns.art.ro>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.981021100330.11440A-100000@ns.art.ro>
Stefan Laudat wrote:
> Playing with my new shiny Slackware 3.5 box I have noticed
> something unusual. The in.pop3d daemon creates sometimes locks for some
> mailboxes in /usr/tmp/.pop. The directory is drwxrwxrwt so there will be
> no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or
> whatever comes in your head. Be creative.
To clarify matters further:
1. The temp files are open()ed with O_EXCL, so (AFAIK) /usr/tmp/.pop
would have to be on an NFS filesystem (or something else which doesn't
handle O_EXCL correctly) in order for there to be a race condition.
2. pop3d performs a setuid() to the user who has logged in before the
temp files are created, so any files would need to be group writable,
for pop3d's gid or supplementary gids.
The mailing list address for pop3d is pop3d@scott.net. The maintainer
is now aware of this issue.
--
Glynn Clements <glynn@sensei.co.uk>
