Re: [linux-security] Pine security problem

[dupuis () lei ucl ac be (Pascal A. Dupuis)]

On Tue, 10 Sep 1996, Liam O. Forbes wrote:

> This is in regards to the "fix" of the possible security problem in
> Pine < v3.95.  Pine 3.95 does indeed check for symbolic links, now, before
[...]
> If you use the alternate editor feature, and a symbolic link exists with the
> desired name, the link isn't checked like the mail lock file is, and the editor
> dumps everything into the file pointed to by the symbolic link.  This can lead
> to several possible security breaches via:
>   1.  the ability to mangle a target file.
>   2.  the ability to eavesdrop on composed messages.
>   3.  (if you are really fancy) the ability to set up at least one bogus
>       .rhosts entry by sending email to someone who responds to email by
>       quoting entire files.
> There are probably several other things that can be done via this /tmp file
> problem (and have been).
I tried with my system, running Pine3.95 on Linux 2.0.18.
A) I started composing a message, invoqued the alternate editor (with
Linux and a french keyboard, the command is ^), ??? ). From another login
name, I do :
  cd /tmp
  ln -s pico.pid hacker.tmp
  more hacker.tmp -> permission denied !
B) I started the other way :
  first, from the other login
  ln -s hacker.tmp pico.pid
Then, start composing a message. Invoquing the alternate command resulted
in the error message : "Problem creating pico temp file", and I was unable
to use the alternate editor.
On the Linux system, the /tmp/pico.pid file is created 600, owned by the
Pine user. At first glance, this should be safe, isn't it ?

Pascal A. Dupuis

--
Information Science is emerging from the Prehistoric Ages, but its
language still reflects it : gnu, hurd, awk, nroff, ls, ar, chmod, ...