Hi!
> mc 4.5.0 creates a temporary file in /tmp when it's started.
> It's called talk.fish and has the mode 644. If a user would link the
> file to /etc/passwd or anything else, when the root would start mc, the
> file would be erased.
It was me who added talk.fish file (and it kind of escaped me, sorry),
it is debugging hack and it is currently disabled in my tree (and
CVS). Workaround is:
create /tmp/talk.fish yourself, so that noone can put symlink there
solution is: do not run beta software as root, 4.0.X is stable, 4.5.0
is not.
Pavel
PS: There are more /tmp/ holes in midnight commander, beware. Extfs
scripts contain some. I'm going to mark them FIXME: TMP RACE in
development tree. What is worse, they are probably going to
stay there until someone invents safe & portable way of how to work
with temporary files from shell.
(Actually, is this safe? It might be safe & portable, unfortunately,
it is also slow & ugly)
TMPDIR=/tmp/mctmpdir.$$
mkdir $TMPDIR || exit 0
cd $TMPDIR
do_something > $TMPDIR/file
rm $TMPDIR/file
rmdir $TMPDIR
?
PPS: It might be nice to contact authors of affected program few days
before you post to bugtraq...
--
I'm really pavelat_private Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:34 PDT