Bugtraq mailing list archives
Re: Linux and world-writable /tmp - UPDATE (fwd)
From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Mon, 13 Jul 1998 00:51:25 +0200
On Thu, 16 Jul 1998, Olaf Kirch wrote:
There are some things I do not understand about this patch. 1. The code does not redirect /tmp access of processes running with a real, effective, or fs uid of root. So it doesn't buy you anything when it comes to /tmp attacks on setuid root programs.
No. You have to make /tmp chmod 755, only root-writable, so there's no risk. Please read README carefully ;-)
2. The code does not keep normal users from messing around in the real /tmp directory. Use ///tmp, or chdir("/") and use "tmp", or unset both HOME and TMPDIR, or symlink your $HOME/tmp to /tmp, etc.
Yes. It redirects only typical requests. It won't protect /tmp itself, as I wrote - you have to do 'chmod 755 /tmp'. Without this patch, your programs won't work after above chmod. With patch, they will. It has been mentioned in README, again.
3. Some setuid programs do open temporary files in /tmp for a reason; they do not expect them to be created in /etc. They also do not expect that the user invoking the program can flip to a different directory underneath of it. An interesting attack (having redtmp loaded) would go like this:
Setuid programs are NOT redirected to $HOME/tmp. If you want to force setgid redirection too, simply modify code, but I can't see serious reason to do it (any real-life examples, not 'hypotetical' examples - I can talk about 'hypotetical' setuid program executing rm -rf / if only it detects redtmp installed, but... ;-). _______________________________________________________________________ Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
Current thread:
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) James Bonfield (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Leendert van Doorn (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Aggelos P. Varvitsiotis (Jul 14)
- <Possible follow-ups>
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Dr. Mudge (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Darren J Moffat - SunService ETZ-N OS Product Support Group (Jul 14)
- Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 11)
- Berkley DB problem in slackware distribution Martin Bene (Jul 16)
- Re: Linux and world-writable /tmp - UPDATE (fwd) Olaf Kirch (Jul 16)
- Re: Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 12)
- Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Eric Johnson (Jul 15)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 15)
- S.A.F.E.R. Security Bulletin 980708.DOS.1.1 Security Research Team (Jul 16)
- Sun Security Bulletin #00172 (fwd) joshua grubman (Jul 15)