X-RDate: Wed, 11 Mar 1998 15:17:05 +0500 (ESK)
Date: Mon, 9 Mar 1998 22:07:04 -0500 (EST)
From: Greg Alexander <galexand@sietch.bloomington.in.us>
To: bugtraq@netspace.org, linux-security@redhat.com
Subject: [linux-security] Linux libc5 'bug' in mkstemp().
Pardon me if this is already known -- Theo, at least, had never heard of a
Unix doing this.
mkstemp() under Linux claims to conform to BSD4.3, but BSDs (FreeBSD and
OpenBSD, at least) seem to have a slightly different behavior. Under Linux,
new files are created with mode 0666, while under BSDs new files are created
with mode 0600. A user need only set his umask to 0 and he will be able to
write to temp files created with mkstemp() by suid root programs, unless the
suid root programs set their own umask. This is probably not a major
problem for any apps, but it's something everyone should note when porting
security-sensitive apps to Linux from BSDs (and possibly other platforms).
[mod: I disagree with the "not a major problem" part, every breach like
this leads to a root hole. -- REW]
A quick check shows that mkstemp() is implemented in glibc2.0.7-pre1 using
0666 as well, but that was just from a prefunctory glance at the code --
something may be going on that I didn't notice.
Greg Alexander - also <gralexan@indiana.edu> - http://sietch.home.ml.org/
----
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
