Bugtraq mailing list archives
Re: Insecure use of file in /tmp by trn
From: richardk () CHIARK GREENEND ORG UK (Richard Kettlewell)
Date: Mon, 23 Aug 1999 10:46:20 +0100
Rogier Wolff writes:
Martin Schulze wrote:
This was not intentional by the author, he tried to use tempfile(1) to create the temporary filename. However, due to a thinko, the name was hardcoded into the script.[...]+#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"So now you're using tempfile? This usually yields an easily predictable filename, for which the same exploits hold. Just keep an eye out for the last PID issued, and OK, this time you might need to flip a link (provided that tempfile indeed refuses to return a file that is currently symlinked.)
tempfile opens the chosen filename using O_CREAT|O_EXCL. If there is a link there, this means it will get EEXIST. (What tempfile then does is to pick another name and try again.) So, I believe the proposed fix is safe. ttfn/rjk
Current thread:
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 22)
- Re: Insecure use of file in /tmp by trn Martin Schulze (Aug 23)
- <Possible follow-ups>
- Re: Insecure use of file in /tmp by trn Richard Kettlewell (Aug 23)
- Re: Insecure use of file in /tmp by trn Ben Pfaff (Aug 24)
- Re: Insecure use of file in /tmp by trn Theo de Raadt (Aug 27)
- Re: Insecure use of file in /tmp by trn Martin Schulze (Aug 29)
- WU-FTPD Security Update Thomas Biege (Aug 29)
- Re: Insecure use of file in /tmp by trn Luca Berra (Aug 30)
- Re: Insecure use of file in /tmp by trn Shuman (Aug 28)
- Re: Insecure use of file in /tmp by trn Todd C. Miller (Aug 30)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 28)
- Vixie Cron version 3.0pl1 vulnerable to root exploit Martin Schulze (Aug 28)
- Re: Insecure use of file in /tmp by trn Theo de Raadt (Aug 27)