On Tue, Jul 10, Paul Starzetz wrote:
> Jarno Huuskonen wrote:
>
> > I found out about the problem when I noticed a temporary file
> > /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire
> > binary with strace and noticed that temporary files in /tmp are opened
> > without the O_EXCL flag.
>
> Here a strace from tripwire 1.2 (Source RPM: tripwire-1.2-223.src.rpm):
>
> open("/tmp/twznG1Eud", O_RDWR|O_CREAT|O_TRUNC, 0666) = 4
> open("/tmp/twzd9tWqg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
> open("/tmp/twzzykpkj", O_RDWR|O_CREAT, 0600) = 4
>
> nowhere the current pid is used - instead a 6 byte template appears,
> which is not really predictable (at least shouldn't be!).
So that version of tripwire is not compiled with glibc that uses a
letter + pid as the unique/random part. I only mentioned that the binary
version of tripwire (2.2.1) avalaible from www.tripwire.com does that.
But as you can see it doesn't use O_EXCL so if the 'random' file happens
to be a symlink tripwire will overwrite files.
-Jarno
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 07:29:11 PDT