Bug 26101 - Small /tmp handling problem in Xconfigurator
Summary: Small /tmp handling problem in Xconfigurator
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: Xconfigurator   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Preston Brown
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2001-02-05 15:45 UTC by Pekka Pietikäinen
Modified: 2007-04-18 16:31 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-05 15:45:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Pekka Pietikäinen 2001-02-05 15:45:28 UTC
As a user, ln -s /root/.rhosts /tmp/SERVER and wait for the admin to
run Xconfigurator --pick (which happens when the system is upgraded,

After it's been run, root ends up with a .rhosts containing "XFree86 480",
which theoretically could be used for doing some nasty things 
(assuming the person also runs rlogin for some reason, I tried to
misconfigure sshd
to accept the .rhosts file but failed)

The code does check for the existance of the file using access() and
the file if it exists, but since it's a symlink to a non-existing file the
symlink doesn't 
get removed like it should. Replacing the access() with a stat() or
should do the trick.

Ok, that's all pretty theoretical so I didn't even classify this as a
security problem,
but things like this are worth checking for in other things that get run
during upgrades :)

Comment 1 Preston Brown 2001-02-08 23:57:53 UTC
this code was old and unused.  However, when it was active, it was only used at
installation time, so the security risk was ~nil.

Still, the code was cruft and I have removed it in 4.6.9 and later.

Note You need to log in before you can comment on or make changes to this bug.