Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10

From: avalon () coombs anu edu au (Darren Reed)
Date: Fri, 25 Aug 1995 23:17:17 +1000

In some mail from Dr. Frederick B. Cohen, sie said:


Joy of joys.

After running lsof (the security program identified by the CERT that
lists open file) I found the following file:

-rw-rw-rw-  1 root           8025 Aug 24 04:10 /tmp/.lsof_dev_cache

This file appears to hold pointers into device files, memory maps, etc.
which lsof reads the next time around.  It could be very dangerous since
lsof normally runs as root.  Please tell me I'm wrong and it's not a hazard.


Having examined it today, it seems to be installed setgid-kmem (or something
which can read /dev/kmem) in all cases but one.

The threat is it:
        (a) doesn't use O_EXCL to open the file
        (b) uses chown instead of fchown
But
        (c) it must be run by root for there to be a problem.

People designing setuid-root programs or programs in general which perform
priviledged operations and need temporary files should consider using a
non-public access directory as the temp. file location.

darren
Previous By Date Next
Previous By Thread Next

Current thread: