|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jan Grant (Jan.Grant_at_bristol.ac.uk)
Date: Mon Nov 11 2002 - 05:14:25 CST
On Sun, 10 Nov 2002, Joshua Goodall wrote:
> Hi,
>
> Better not to file a PR for this, I feel.
>
> I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
> it appends to the fixed-name file /var/tmp/cvsupd.out
>
> Therefore if I were a malicious user, I could make a symlink of that
> name in /var/tmp to effect arbitrary file corruption. If
> I was really clever, I might point it at /root/.ssh/authorized_keys and
> use secondary means to get cvsupd's output to include my public key.
>
> Consider changing it to /var/log/cvsupd.out ?
Yep. Also, consider mounting /var/tmp with nosymfollow.
-- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Hang on, wasn't he holding a wooden parrot? No! It was a porcelain owl.To Unsubscribe: send mail to majordomo
FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]