Bugtraq mailing list archives
Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache
From: fc () all net (Dr. Frederick B. Cohen)
Date: Sat, 9 Sep 1995 17:16:53 -0400
I started this thing and went out of town only to find tens of messages about it when I got back. I thought it was a simple matter. If the user owns the file, put it in their home directory, mode 600 - but of course you are running insecure by making all of the files readable that have to be readable for lsof to work properly. So the predominant mode should be the mode where root owns the file. If you have to have the cache, if it has to be owned by root, don't put it in /tmp - try /etc/private or some such area created for the purpose. Protect the file 600 for root access only, then the setUID program can run it. All of this foolishness about checksums and file dates, etc. is useless if the attacker has a copy of lsof to make the forgery with. Since it's publicly available, we assume the attacker has it and have to use something like access controls to protect it. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Current thread:
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache der Mouse (Aug 29)
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Dr. Frederick B. Cohen (Sep 09)
- <Possible follow-ups>
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache Marty (Sep 10)