From owner-freebsd-security  Sun Apr 26 15:25:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA26808
          for freebsd-security-outgoing; Sun, 26 Apr 1998 15:10:31 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA24903;
          Sun, 26 Apr 1998 14:55:32 -0700 (PDT)
          (envelope-from wosch@cs.tu-berlin.de)
Received: from panke.panke.de (anonymous231.ppp.cs.tu-berlin.de [130.149.17.231])
	by mail.cs.tu-berlin.de (8.8.8/8.8.8) with ESMTP id XAA10525;
	Sun, 26 Apr 1998 23:47:12 +0200 (MET DST)
Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id XAA02253; Sun, 26 Apr 1998 23:44:10 +0200 (MET DST)
Message-ID: <19980426234408.04873@panke.de>
Date: Sun, 26 Apr 1998 23:44:08 +0200
From: Wolfram Schneider <wosch@cs.tu-berlin.de>
To: rotel@indigo.ie
Cc: David Kelly <dkelly@hiwaay.net>, freebsd-security@FreeBSD.ORG,
        wosch@FreeBSD.ORG, ncb05@uow.edu.au
Subject: Re: Symlinks again...
References: <dkelly@hiwaay.net> <199804251210.NAA01265@indigo.ie>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.79
In-Reply-To: <199804251210.NAA01265@indigo.ie>; from Niall Smart on Sat, Apr 25, 1998 at 01:10:25PM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On 1998-04-25 13:10:25 +0000, Niall Smart wrote:
> On Apr 24, 10:13pm, David Kelly wrote:
> } Subject: Re: Symlinks again...
> > > [ discussion of problem with temporary files in locate.* ]

This is a known problem. As an intruder I would not waste
my time with locate. There are a lot easier ways to break into
the system.

A real fix is:

1) set TMPDIR to a filesystem which disabled symlinks 
   (mount -o nosymfollow)

or 

2) set TMPDIR to a directory which is only writeable for the
   user nobody.


> > > The code is still wrong though, an account is compromisable.  I
> > > would submit a PR.  mktemp(1) should be ported to -stable to make
> > > fixing/avoiding this type of thing easier.  Any takers?
> > 
> > It appears mktemp made it into RELENG_2_2 recently (I don't know how to 
> > ask CVS yet). So maybe all that's left to do is fold it into the right 
> > places?

Your changes ignored the fact that many other 
programs/scripts (e.g. sort(1)) may create temp files in /tmp.

-- 
Wolfram Schneider <wosch@freebsd.org> http://www.freebsd.org/~wosch/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message