[2166] in bugtraq
Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10
daemon@ATHENA.MIT.EDU (Darren Reed)
Tue Aug 29 07:09:17 1995
Date: Fri, 25 Aug 1995 23:17:17 +1000
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Darren Reed <avalon@coombs.anu.edu.au>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <9508241734.AA16279@all.net> from "Dr. Frederick B. Cohen" at Aug
24, 95 01:34:46 pm
In some mail from Dr. Frederick B. Cohen, sie said:
>
> Joy of joys.
>
> After running lsof (the security program identified by the CERT that
> lists open file) I found the following file:
>
> -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache
>
> This file appears to hold pointers into device files, memory maps, etc.
> which lsof reads the next time around. It could be very dangerous since
> lsof normally runs as root. Please tell me I'm wrong and it's not a hazard.
Having examined it today, it seems to be installed setgid-kmem (or something
which can read /dev/kmem) in all cases but one.
The threat is it:
(a) doesn't use O_EXCL to open the file
(b) uses chown instead of fchown
But
(c) it must be run by root for there to be a problem.
People designing setuid-root programs or programs in general which perform
priviledged operations and need temporary files should consider using a
non-public access directory as the temp. file location.
darren
