Le lundi 25 août 2008 à 14:02 +0400, Dmitry E. Oboukhov a écrit : > On 11:09 Mon 25 Aug , Julien Valroff wrote: > JV> Hi Dmitry, > > JV> Le dimanche 24 août 2008 à 22:05 +0400, Dmitry E. Oboukhov a écrit : > JV>> Package: rkhunter > JV>> Severity: grave [...] > JV>> In some packages I've discovered scripts with errors which may be used > JV>> by a user for damaging important system files or user's files. > JV>> > JV>> For example if a script uses in its work a temp file which is created > JV>> in /tmp directory, then every user can create symlink with the same > JV>> name in this directory in order to destroy or rewrite some system > JV>> or user file. Symlink attack may also lead not only to the data > JV>> desctruction but to denial of service as well. > > JV> I think rkhunter is safe, given that the script does check that the file > JV> in /tmp is a file (and not a symlink) before using it: > > JV> if [ "$1" = "--debug" ]; then > JV> if [ -e "/tmp/rkhunter-debug" ]; then > JV> if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then > JV> rm -f /tmp/rkhunter-debug >/dev/null 2>&1 > JV> else > JV> echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, > but it is not a file." > JV> exit 1 > JV> fi > JV> fi > > JV> Would you please confirm this is ok so that I can close this bug? > > could you create temp-file as: > > if [ $1 = "--debug" ]; then > DEBUG_FILE=`mktemp -t rkhunter-debug.XXXXXXXXXX` > ... > unsing debug file $DEBUG_FILE > fi
Sure, but can you explain what this would change in terms of security and wrt to the bug reported? Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
