Bug 26101 - Small /tmp handling problem in Xconfigurator
Small /tmp handling problem in Xconfigurator
Product: Red Hat Linux
Classification: Retired
Component: Xconfigurator (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Preston Brown
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2001-02-05 10:45 EST by Pekka Pietikäinen
Modified: 2007-04-18 12:31 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-05 10:45:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Pekka Pietikäinen 2001-02-05 10:45:28 EST
As a user, ln -s /root/.rhosts /tmp/SERVER and wait for the admin to
run Xconfigurator --pick (which happens when the system is upgraded,

After it's been run, root ends up with a .rhosts containing "XFree86 480",
which theoretically could be used for doing some nasty things 
(assuming the person also runs rlogin for some reason, I tried to
misconfigure sshd
to accept the .rhosts file but failed)

The code does check for the existance of the file using access() and
the file if it exists, but since it's a symlink to a non-existing file the
symlink doesn't 
get removed like it should. Replacing the access() with a stat() or
should do the trick.

Ok, that's all pretty theoretical so I didn't even classify this as a
security problem,
but things like this are worth checking for in other things that get run
during upgrades :)
Comment 1 Preston Brown 2001-02-08 18:57:53 EST
this code was old and unused.  However, when it was active, it was only used at
installation time, so the security risk was ~nil.

Still, the code was cruft and I have removed it in 4.6.9 and later.

Note You need to log in before you can comment on or make changes to this bug.