[18055] in bugtraq
Re: [hacksware]Pine temporary file hijacking vulnerability
daemon@ATHENA.MIT.EDU (Christopher X. Candreva)
Wed Dec 13 20:58:03 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.30.0012121925340.8654-100000@westnet>
Date: Tue, 12 Dec 2000 19:32:38 -0500
Reply-To: "Christopher X. Candreva" <chris@WESTNET.COM>
From: "Christopher X. Candreva" <chris@WESTNET.COM>
X-To: Peter W <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0012111508510.25236-100000@localhost>
On Mon, 11 Dec 2000, Peter W wrote:
> It would be nice if there was an easy, portable way to ensure safe temp
> file operations (mkstemp()?) but in the meantime, don't panic. Set safe
> values for TMP and TMPDIR and Pine behaves well.
I've just tried this under Solaris 8, pine 4.30, and with both $TMP and
$TMPDIR set, Pine is still writing to /tmp
There is another, more global, solution. the AMD automouter from
cs.columbia.edu (now distributed as am-utils) has included a program called
hlfsd (Home Link File System Daemon) for a number of years. It was
designed as a simple way to have users e-mail delivered to their home
directories instead of to /var/spool/mail . It uses the automounter,
watches the directory it's told to, and redirects requests to that directory
from a user to a dir in their home directory. Users think their mail is in
/var/spool/mail/username, but it's really in
/home/path/username/.hlfsdir/username
I think that program stock, with different options, should be able to do the
same thing to /tmp very easily. Every program will now write safely to /tmp,
who cares how it's written.
The home page for am-utils is http://www.cs.columbia.edu/~ezk/am-utils/
This is pure theory, but I may try this out on a test system tomorrow.
-Chris
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
