[2122] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Nathan Lawson)
Thu Aug 17 00:03:17 1995
Date: Wed, 16 Aug 1995 20:10:25 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Nathan Lawson <nlawson@statler.csc.calpoly.edu>
X-To: Aleph One <aleph1@dfw.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.SUN.3.90.950816122309.27163C-100000@dfw.net> from "Aleph
One" at Aug 16, 95 12:25:04 pm
> On Wed, 16 Aug 1995, Nathan Lawson wrote:
>
> > The /tmp/.psXXXXXX is open to a race. The directory is safe as long as it
> > isn't world writable.
>
> Mind to expand on this? Who would tiss work. The /tmp directory *does*
> have the sticky bit so we cant rm the file and substitute it. Are you talking
Yes. Basically, Irix uses an insecure method of making a temp file based on
pid, just like any other OS that uses blahXXXXXX. If you are going to use a
predictable filename, then you'd better open it securely.
Hobbit posted a very good method a while back during some binmail fiasco.
Basically, with a temp file, you are creating a file. The way he described was
to open the file with O_EXCL so it doesn't follow symlinks. Then, lstat the
file and make sure it is not a link. Lastly, stat the file and make sure it
has the same inode as found in the lstat call.
My description is very poor in light of Hobbit's, so please read his to make
sure you understand how to write to files securely.
-Nate
