Red Hat Bugzilla – Bug 4410
overwrite any of mc-users files.
Last modified: 2008-05-01 11:37:51 EDT
A couple of days ago, I was learning the bash shell .. and about function. My book told me to type "declare -f" .. so i did.. and this is the output:
# declare -f
declare -f mc ()
/usr/bin/mc -P "$@" >"$MC";
cd "`cat $MC`";
I tried to figure out what it was all about. . and it suddenly struck me.. SYMLINK ATTACK.
This leads to the possibility for a local user, to overwrite a local mc-users files. If I am a user of a system, and knows that root is an mc user .. and that he uses mc as root quite often .. then I can, every time I notice that he logs in, have a bash-script spin up a couple of thousands symlinks from mc<hisbash'sid>-<1-32k>
.. make a couple of thosands of them, and there is a quite high possibility that one will hit the mark.
When the user (root?) then exites mc .. he will overwrite the target-file, with the last used path. Woopsie, /etc/passwd now just contains a path .. uhm .. userdatabase.. my 15000 users .. ohmy.
I don't know if this is a known securityproblem, it was found in redhat 5.2, and verified that it exists in 6.0