On Thu, 4 May 2000, Roland Hilkenbach wrote:
Hi, trying to create a user-crontab, I found that crontab -e creates temporary files in /tmp. These files take the name /tmp/crontab.xxx where the extension seems to be the PID of the crontab -e command and thus are easy to guess by other people. Since /tmp is writable by everyone, someone else could possibly create a file following this naming convention, thereby disturbing the crontab command. I wasn´t able to smuggle data into the crontabs but this
I assume crontab checks for the files existence _before_ creating it. This is a standard when dealing with tmp files. You might consider reading more about system programming using tmp files. Just creating a file to tmp _blindly_ would be dangerous (as it might overwrite another file, possibly a link to some important file). I think crontab is written this in mind.
behavior can easily be used to do a DoS since the /tmp directory has the sticky-Bit set.
What? No sticky bits are set at my installation. That would be a major mistake allowing others to make files belonging to root:root. Just think what these files could do, if made setuid too? You should doublecheck your system, if someone has somehow made your tmp setgid- or setuid something. -Pete
Regards Roland Hilkenbach
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com