From owner-freebsd-security  Wed Apr 11  3:29:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from void.xpert.com (xpert.com [199.203.132.1])
	by hub.freebsd.org (Postfix) with ESMTP id 5448C37B422
	for <security@freebsd.org>; Wed, 11 Apr 2001 03:29:13 -0700 (PDT)
	(envelope-from Yonatan@xpert.com)
Received: from mailserv.xpert.com ([199.203.132.135])
	by void.xpert.com with esmtp (Exim 3.20 #1)
	id 14nGww-0004rO-00
	for security@freebsd.org; Wed, 11 Apr 2001 12:30:06 +0300
Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21)
	id <H75JG2C6>; Wed, 11 Apr 2001 13:28:52 +0300
Message-ID: <EB513E68D3F5D41191CA000255588101720F@mailserv.xpert.com>
From: Yonatan Bokovza <Yonatan@xpert.com>
To: "'security@freebsd.org'" <security@freebsd.org>
Subject: insecure tmp file creation in ksh93 port
Date: Wed, 11 Apr 2001 13:28:51 +0300
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="windows-1255"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,
I'm was looking at hardening the rksh
for a client when I saw the following
lines in 
src/cmd/ksh93/features/options.sh:
---
cat > /tmp/file$$ <<!
#! /bin/echo
exit 1
!
chmod 755 /tmp/file$$
if	/tmp/file$$ > /dev/null
then	echo "#define SHELLMAGIC	1"
fi
rm -f /tmp/file$$
---
what gives?

J.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message