Bug 6645

Summary: Race condition in /etc/profile.d/lang.csh allows trojans
Product: [Retired] Red Hat Linux Reporter: mbeattie
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-11-09 17:54:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mbeattie 1999-11-02 14:28:59 UTC 
/etc/profile.d/lang.csh contains the lines
sed ... > /tmp/csh.$$
source /tmp/csh.$$
which is a classic security gotcha race condition. A symlink
flipping attack or similar (with pid prediction) allows any
local user to substitute code that will be run by the
attacked user. /tmp should *never* be used directly for
creating temporary files like that. Either per-user temp
directories should be used or else you can jump through
hoops and create a temp directory within /tmp, do some
stringent checks and then put your temp file in that one.
I think the OpenBSD crowd probably have a script for that.
In this case, you don't need a temp file in any case and
eval would be better. I'll give this a couple of weeks to
be fixed before notifying bugtraq.
Comment 1 Bill Nottingham 1999-11-09 17:54:59 UTC 
fixed in the 4.63-1 errata release.