On Wed, 24 Dec 1997, d wrote: > > I just noticed a problem with the man system (version 2.3.10) on my Linux > > box: /usr/man contains the .gz'd man pages: > [...] > > When I execute man, a temporary file containing the un-zipped manpage is > > created in /tmp. The name of the tmp-file usually is "zman<PID>aaa", > > e.g. "zman10849aaa". This can be exploited with a simple symlink attack: > > Pretty much the same with unformatted 'roff pages on unix (at least with > my suns around here; I assume others mostly do the same), with variously > different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc. > Another reason to use catman, I guess. > > What a neat little trick. I never thought man would be a security hole. It will depend on exactly HOW the temporary names are generated. NetBSD uses a similar formula for the name (man.XXXX), but it's gaurenteed to be unique (mkstemp call) - so if you create the sym-links, it'll just name it something else. The use of mkstemp over mktemp is also supposed to avoide the race condtion between generating the file name and opening it for writing. Rick ========================================================================= Rick Byers Internet Access Worldwide rickbat_private System Admin University of Waterloo, Computer Science (905)714-1400 http://www.iaw.on.ca/rickb/ http://www.iaw.on.ca/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:36 PDT