[2071] in bugtraq
bug in /sbin/ps on sunos5.4 ?
daemon@ATHENA.MIT.EDU (Darren Reed)
Thu Aug 3 12:45:14 1995
Date: Thu, 3 Aug 1995 01:51:17 +1000
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: bugtraq@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
or is it /usr/bin/ps...
anyway, has anyone worked out whether or not it is possible to exploit
the race condition in /bin/ps if /tmp/ps_data is missing ?
...if you want the details, just goto any system you're root on which
is solris2, rm /tmp/ps_data and do "truss ps >&/tmp/foo" and look through
/tmp/foo for a chown. It looks possible, but not easy.
of course it is really only a problem when /tmp is rwxrwxrwx (which is
pretty common with /tmp mounting from swapfs and no chmod in any /etc/rc
scripts).
the fix is to chmod +t /tmp and put that in the rc script which mounts
/tmp (after /tmp is mounted) and make sure root owns /tmp/ps_data :)
darren
