Bugtraq mailing list archives
*sigh* another RH5 /tmp problem
From: mspencer () ENG AUBURN EDU (Mark A. Spencer)
Date: Mon, 9 Mar 1998 17:55:14 -0600
RedHat 5, when using dhcp to configure the interface calls a script
called "ifdhcpc-done" to be executed after a dhcp interface is
configured. At the end of the process it updates resolv.conf:
if [ -f /etc/dhcpc/resolv.conf ]; then
echo "setting up resolv.conf" >> /tmp/dhcplog
cp /etc/dhcpc/resolv.conf /etc
fi
There is no protection against the dhcplog file being a symbolic link,
clobbering, blah de blah de blah... (it seems pretty useless to maintain
it too, since this is the only message that ever seems to appear in the
log).
-rw-rw-rw- 1 root root 690 Mar 9 17:23 dhcplog
Oh, and the file also seems to default to being permissions of 666 which
allows for easy avoidance of disk quotas...
Anyway, I would just comment out the echo line and be done
The only way to exploit this is if the dhcplog file doesn't already exist
which can occur if the system has been up for 10 days or more and is then
rebooted.
-Mark
Current thread:
- Re: another /tmp race: `perl -e' opens temp file not safely, (continued)
- Re: another /tmp race: `perl -e' opens temp file not safely Dennis Taylor (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 08)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 08)
- r00t Advisory [ LitterMaid Race Condition ] X (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 08)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 08)
- Updated list of crypto and security courses Avi Rubin (Mar 09)
- *sigh* another RH5 /tmp problem Mark A. Spencer (Mar 09)
- Re: *sigh* another RH5 /tmp problem Erik Troan (Mar 10)
- Re: Linux libc5 'bug' in mkstemp(). Andreas Jaeger (Mar 10)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 07)
- Linux libc5 'bug' in mkstemp(). Greg Alexander (Mar 09)
- Re: Linux libc5 'bug' in mkstemp(). Casper Dik (Mar 10)
- Re: Plaintext passwords in Chase Online Banking dorqus maximus (Mar 08)