Following mail just went to the debian folks: Dear Nerds, maybe you remember my /tmp symlink attack posting to bugtraq some time ago. Some closer investigation revealed that in SuSE Linux 6.1 (a pity we are not allowed to use debian at our site, but anyway...), the following programs were susceptible to symlink attacks; of course, the list most probably is not complete, but it contains the most frequently used programs showing bad behaviour: Exploitable Program typical file man /tmp/zman09639aaa all the rcs stuff /tmp/T0a10328 netscape /tmp/jzip378496230054DAE mktexpk /tmp/mt20385.tmp/mt20385.out tkdesksh /tmp/17780aaa kmail /tmp/kmail26766/part4/unnamed, /tmp/kmail26766/part2/scharfes_s.ps pine /tmp/pine_prt023368 kdmrc /tmp/T0a23848 mupad /tmp/xmupad_mupad_connect.5663 pvmd3 /tmp/pvml.2346 Don't know yet where these calls did come from; some might be SuSE-specific. ? sh -c mount /dev/fd0 2>/tmp/mnt931444692 ? /usr/bin/vi /tmp/snd.4920 ? cp query /tmp Furthermore, I think cflow also had problems on my private machine.