[2114] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Patrick Hess)
Wed Aug 16 15:40:35 1995
Date: Wed, 16 Aug 1995 12:03:52 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Patrick Hess <phess@best.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508160842.BAA03459@statler.csc.calpoly.edu> from "Nathan
Lawson" at Aug 16, 95 01:42:36 am
"Nathan Lawson once said:"
>
> Aleph1 said:
> > Well while we taling about SysV ps IRIX's its sgid to sys, writes
> > to /tmp/.ps_data and /tmp/.ps_XXXXXX but /tmp was the sticky bit on.
>
> The /tmp/.psXXXXXX is open to a race. The directory is safe as long as it
> isn't world writable.
>
> -Nate
>
Ya know, if /tmp isn't world writeable doesn't that defeat the purpose of
having a /tmp at all? It's kinda like security by never giving out
accounts. Sure, it's secure but useless. The whole point of having a /tmp
is to give people with limited disk space somewhere to put their junk for a
short time. That means the _world_ has to be able to write to it. The
sticky-bit on the directory makes it such that only the creator of the file
can remove it when the directory is otherwise world writeable. It is the
obvious and elegant solution to this problem.
Sorry for the little tirade, but I kinda got the impression that there were
people on this list that didn't quite understand why this hole is serious,
but easily fixed. I now return you to your regularly scheduled security
leaks.
Pat
