The diskcheck.pl script is located in /etc/cron.hourly and is executed every hour by cron to check if any disks/partitions are 90%+ filled and if so an e-mail is to root (as specified in /etc/diskcheck.conf by default). I find it useful, however I have come across a configuration problem that leaves a rather annoying security problem. Whenever the script is run, it creates a file named /tmp/diskusagealert.txt.$$ This is due to the line in /etc/diskcheck.conf: # Location and name for a temp file $tempfile = '/tmp/diskusagealert.txt'; and the script itself adds the process number to the end of the file name. Using a program like temp-watch a normal user can easily guess what the file will be named and create a symlink to an existing or non-existing file and overwrite or create files anywhere on any mounted drive because the program does not check to see if the file exists or not. Creating only 75 symlinks I was able to get diskcheck to overwrite /etc/shadow when it was executed by cron, which is obviously a bad thing. The script itself writes the temp fiel which contains an e-mail to the user specified in /etc/diskcheck.conf informing him/her that there are/is partition(s) over 90% full, and if there are really any it sends the e-mail. Because it writes the e-mail whether or not there are near capacity drives it can be exploited under any circumstances with regards to drives being filled or not. When a system is busy (i.e. high work load or many users on) it is much more trivial to exploit. There are a couple ways to deal with this: 1) Change the directory name in the script to use something like /var/spool/cron instead of /tmp to create the temp file. 2) Use a less guessable name and check for the existence of files befre creating new one. 3) Modify the script to only write the temp file if the disks are filling AND use one of the above two methods to safely create the file. -Stan Bubrouski
Thanks for the report. I have built it and it now uses /var/spool/cron by default in the conf file. The latest package shoudl show up in rawhide the next time it's updated. Tim
An errata will be released today for Powertools 6.x. For some reason it was fixed for Powertools 7, but I forgot to release an errata for 6.x. Tim