[2224] in bugtraq
Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache
daemon@ATHENA.MIT.EDU (Dr. Frederick B. Cohen)
Sat Sep 9 23:48:14 1995
Date: Sat, 9 Sep 1995 17:16:53 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: "Dr. Frederick B. Cohen" <fc@all.net>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199508300018.UAA04128@Collatz.McRCIM.McGill.EDU> from "der
Mouse" at Aug 29, 95 08:18:53 pm
I started this thing and went out of town only to find tens of
messages about it when I got back. I thought it was a simple matter.
If the user owns the file, put it in their home directory, mode
600 - but of course you are running insecure by making all of the files
readable that have to be readable for lsof to work properly. So the
predominant mode should be the mode where root owns the file. If you
have to have the cache, if it has to be owned by root, don't put it in
/tmp - try /etc/private or some such area created for the purpose.
Protect the file 600 for root access only, then the setUID program can
run it.
All of this foolishness about checksums and file dates, etc. is
useless if the attacker has a copy of lsof to make the forgery with. Since
it's publicly available, we assume the attacker has it and have to use
something like access controls to protect it.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
