Bugtraq mailing list archives
Re: Bootpd 2.4.3 tmp race
From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Fri, 13 Nov 1998 23:21:59 +0100
On Fri, 13 Nov 1998, Marcelo Tosatti wrote:
Sorry if this is already known. I found a tmp race in bootpd 2.4.3. If the user do not specify a file to dump the database, bootpd dump it in /tmp/bootpd.dump.
...
if (argc > 1) bootpd_dump = argv[1]; - + else + mktemp(DUMPTAB_FILE); /* * Get my hostname and IP address. */
Of course, this is not a fix. It just makes the problem less obvious and lowers the risk of abuse. (Even if the risk has already been low because a cetain signal must be sent to the deamon and this is a rare event in most installations.) Moreover, it is questionable whether saving the dump using a randomized filename is useful because you have to do something nontrivial to find the dump. The proper solution (for any bug of this kind) is to stop putting such files into /tmp or any other publicly readable directory. --Pavel Kankovsky aka Peak [ Boycott Czech Telecom--http://www.bojkot.cz ] "spt Telecom... ted zdrazujeme zitrek!" [ Engl. lang. info-- .../english/ ]
Current thread:
- Re: Bootpd 2.4.3 tmp race Pavel Kankovsky (Nov 13)