Hi! > mc 4.5.0 creates a temporary file in /tmp when it's started. > It's called talk.fish and has the mode 644. If a user would link the > file to /etc/passwd or anything else, when the root would start mc, the > file would be erased. It was me who added talk.fish file (and it kind of escaped me, sorry), it is debugging hack and it is currently disabled in my tree (and CVS). Workaround is: create /tmp/talk.fish yourself, so that noone can put symlink there solution is: do not run beta software as root, 4.0.X is stable, 4.5.0 is not. Pavel PS: There are more /tmp/ holes in midnight commander, beware. Extfs scripts contain some. I'm going to mark them FIXME: TMP RACE in development tree. What is worse, they are probably going to stay there until someone invents safe & portable way of how to work with temporary files from shell. (Actually, is this safe? It might be safe & portable, unfortunately, it is also slow & ugly) TMPDIR=/tmp/mctmpdir.$$ mkdir $TMPDIR || exit 0 cd $TMPDIR do_something > $TMPDIR/file rm $TMPDIR/file rmdir $TMPDIR ? PPS: It might be nice to contact authors of affected program few days before you post to bugtraq... -- I'm really pavelat_private Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:34 PDT