Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 6645 - Race condition in /etc/profile.d/lang.csh allows trojans
Race condition in /etc/profile.d/lang.csh allows trojans
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
6.1
All Linux
high Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-11-02 09:28 EST by mbeattie
Modified: 2014-03-16 22:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-11-09 12:54:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mbeattie 1999-11-02 09:28:59 EST
/etc/profile.d/lang.csh contains the lines
sed ... > /tmp/csh.$$
source /tmp/csh.$$
which is a classic security gotcha race condition. A symlink
flipping attack or similar (with pid prediction) allows any
local user to substitute code that will be run by the
attacked user. /tmp should *never* be used directly for
creating temporary files like that. Either per-user temp
directories should be used or else you can jump through
hoops and create a temp directory within /tmp, do some
stringent checks and then put your temp file in that one.
I think the OpenBSD crowd probably have a script for that.
In this case, you don't need a temp file in any case and
eval would be better. I'll give this a couple of weeks to
be fixed before notifying bugtraq.
Comment 1 Bill Nottingham 1999-11-09 12:54:59 EST
fixed in the 4.63-1 errata release.

Note You need to log in before you can comment on or make changes to this bug.