Bug 26101 - Small /tmp handling problem in Xconfigurator
Summary: Small /tmp handling problem in Xconfigurator
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: Xconfigurator
Version: 7.1
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Preston Brown
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-05 15:45 UTC by Pekka Pietikäinen
Modified: 2007-04-18 16:31 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-02-05 15:45:31 UTC
Embargoed:

Attachments (Terms of Use)

Description Pekka Pietikäinen 2001-02-05 15:45:28 UTC 
As a user, ln -s /root/.rhosts /tmp/SERVER and wait for the admin to
run Xconfigurator --pick (which happens when the system is upgraded,
right?)

After it's been run, root ends up with a .rhosts containing "XFree86 480",
which theoretically could be used for doing some nasty things 
(assuming the person also runs rlogin for some reason, I tried to
misconfigure sshd
to accept the .rhosts file but failed)

The code does check for the existance of the file using access() and
removes
the file if it exists, but since it's a symlink to a non-existing file the
symlink doesn't 
get removed like it should. Replacing the access() with a stat() or
something 
should do the trick.

Ok, that's all pretty theoretical so I didn't even classify this as a
security problem,
but things like this are worth checking for in other things that get run
during upgrades :)
Comment 1 Preston Brown 2001-02-08 23:57:53 UTC 
this code was old and unused.  However, when it was active, it was only used at
installation time, so the security risk was ~nil.

Still, the code was cruft and I have removed it in 4.6.9 and later.
Note You need to log in before you can comment on or make changes to this bug.