X-Loop: owner@bugs.debian.org Subject: Bug#138975: hotplug: /tmp symlink vulnerability Reply-To: Zygo Blaxell , 138975@bugs.debian.org Resent-From: Zygo Blaxell Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: Fumitoshi UKAI , hotplug@packages.qa.debian.org Resent-Date: Mon, 18 Mar 2002 23:18:02 GMT Resent-Message-ID: X-Debian-PR-Message: report 138975 X-Debian-PR-Package: hotplug X-Debian-PR-Keywords: security From: Zygo Blaxell To: Debian Bug Tracking System X-Mailer: reportbug 1.48 Date: Mon, 18 Mar 2002 18:02:38 -0500 Message-Id: Delivered-To: submit@bugs.debian.org Resent-Sender: Debian BTS Package: hotplug Version: 0.0.20020114-5 Severity: normal File: /etc/hotplug/ieee1394.agent Tags: security Seen in /etc/hotplug/ieee1394.agent: if touch /tmp/test.$$ >/dev/null 2>&1 then rm -f /tmp/test.$$ else mesg Need writable /tmp ... exit 1 fi Not only does this follow symlinks when it executes as root, thereby allowing someone to create files all over the system, but it also removes innocent files created under /tmp whose names happen to coincide with the PID of the agent... A better approach would be to try to create a directory under /tmp. That won't work if the /tmp disk is full, but on the other hand not much is going to work in such a state anyway. An even better approach would be to try to touch /tmp itself--if that fails, you certainly won't be able to write files in subdirectories of /tmp. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux satsuki 2.4.18-pre7aa2-zb-p3-laptop #1 Sat Feb 9 17:03:54 EST 2002 i686 Locale: LANG=C, LC_CTYPE= Versions of packages hotplug depends on: ii debconf 1.0.26 Debian configuration management sy ii modutils 2.4.13-3 Linux module utilities.