mailing list archives
Re: Another nice tmp race
From: gonzo () RRNET COM (Patrick J. Volkerding)
Date: Tue, 27 Oct 1998 16:23:43 -0600
On Wed, 21 Oct 1998, Stefan Laudat wrote:
Playing with my new shiny Slackware 3.5 box I have noticed
something unusual. The in.pop3d daemon creates sometimes locks for some
mailboxes in /usr/tmp/.pop. The directory is drwxrwxrwt so there will be
no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or
whatever comes in your head. Be creative.
As a test, I created this link logged in as a non-root user:
/var/tmp/.pop/root -> /vmlinuz
Here's the result when root tries to pop mail:
+OK darkstar POP3 Server (Version 1.005l) ready at <Tue Oct 27 16:17:07
+OK please send PASS command
-ERR being read already /usr/spool/mail/root
+OK darkstar POP3 Server (Version 1.005l) shutdown.
/vmlinuz was unchanged after this test. Conclusion: while the locking
system used by in.pop3d may look suspect at first glance, it does not
appear to be vulnerable.
Patrick J. Volkerding
Slackware Linux maintainer