On Tue, Jul 10, Paul Starzetz wrote: > Jarno Huuskonen wrote: > > > I found out about the problem when I noticed a temporary file > > /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire > > binary with strace and noticed that temporary files in /tmp are opened > > without the O_EXCL flag. > > Here a strace from tripwire 1.2 (Source RPM: tripwire-1.2-223.src.rpm): > > open("/tmp/twznG1Eud", O_RDWR|O_CREAT|O_TRUNC, 0666) = 4 > open("/tmp/twzd9tWqg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 > open("/tmp/twzzykpkj", O_RDWR|O_CREAT, 0600) = 4 > > nowhere the current pid is used - instead a 6 byte template appears, > which is not really predictable (at least shouldn't be!). So that version of tripwire is not compiled with glibc that uses a letter + pid as the unique/random part. I only mentioned that the binary version of tripwire (2.2.1) avalaible from www.tripwire.com does that. But as you can see it doesn't use O_EXCL so if the 'random' file happens to be a symlink tripwire will overwrite files. -Jarno
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 07:29:11 PDT