Re: Bootpd 2.4.3 tmp race

[peak () kerberos troja mff cuni cz (Pavel Kankovsky)]

On Fri, 13 Nov 1998, Marcelo Tosatti wrote:

> Sorry if this is already known.
> I found a tmp race in bootpd 2.4.3.
> If the user do not specify a file to dump the database, bootpd dump it in
> /tmp/bootpd.dump.

...

>       if (argc > 1)
>               bootpd_dump = argv[1];
> -
> +     else
> +             mktemp(DUMPTAB_FILE);
>       /*
>        * Get my hostname and IP address.
>        */

Of course, this is not a fix. It just makes the problem less obvious and
lowers the risk of abuse. (Even if the risk has already been low because
a cetain signal must be sent to the deamon and this is a rare event in
most installations.) Moreover, it is questionable whether saving the dump
using a randomized filename is useful because you have to do something
nontrivial to find the dump.

The proper solution (for any bug of this kind) is to stop putting
such files into /tmp or any other publicly readable directory.

--Pavel Kankovsky aka Peak  [ Boycott Czech Telecom--http://www.bojkot.cz ]
"spt Telecom... ted zdrazujeme zitrek!" [ Engl. lang. info-- .../english/ ]