X-RDate: Tue, 17 Mar 1998 16:41:47 +0500 (ESK)
Date: Sat, 14 Mar 1998 17:57:33 +0100
From: Michal Zalewski <[email protected]>
To: [email protected]Subject: [linux-security] Vunerable shell scripts
I made a list of /usr/bin scripts which allows /tmp races. Following
ones creates /tmp/something.$$, then, with no
permission/ownership checking, /tmp/something.$$.x (x may vary
;), or even performs suitable checks, but gives enough time to alter /tmp
contents: glibcbug, bashbug, znew, mailstat, autoupdate, x11perfcomp,
gccmakedep, pnmindex, xcopy, autoheader, cvsbug, rcs2log, updatedb, igawk,
zdiff, zcmp, findaffix, munchlist, report-kaffe-bug, mailshar, MakeTeXPK,
makeindex, texhash, ircbug [...]
This list has been made on RedHat 5.0 Linux distribution. It includes
only /bin/sh scripts and it isn't complete, but maybe it will show the
range of /tmp races problem. Simple
TMPFILE=/tmp/myproggy.$$
trap "rm -f $TMPFILE;exit 1" 1 2 ...
[...]
do_something >$TMPFILE
is not sufficient and may be extremally harmful!!! You should at least use
mktemp to create temporary files, or|and prevent from creating anything
in /tmp directly.
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [[email protected]]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe [email protected] < /dev/null