Bug 6645 - Race condition in /etc/profile.d/lang.csh allows trojans
Summary: Race condition in /etc/profile.d/lang.csh allows trojans
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: initscripts
Version: 6.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-11-02 14:28 UTC by mbeattie
Modified: 2014-03-17 02:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-11-09 17:54:46 UTC

Attachments (Terms of Use)

Description mbeattie 1999-11-02 14:28:59 UTC
/etc/profile.d/lang.csh contains the lines
sed ... > /tmp/csh.$$
source /tmp/csh.$$
which is a classic security gotcha race condition. A symlink
flipping attack or similar (with pid prediction) allows any
local user to substitute code that will be run by the
attacked user. /tmp should *never* be used directly for
creating temporary files like that. Either per-user temp
directories should be used or else you can jump through
hoops and create a temp directory within /tmp, do some
stringent checks and then put your temp file in that one.
I think the OpenBSD crowd probably have a script for that.
In this case, you don't need a temp file in any case and
eval would be better. I'll give this a couple of weeks to
be fixed before notifying bugtraq.

Comment 1 Bill Nottingham 1999-11-09 17:54:59 UTC
fixed in the 4.63-1 errata release.

Note You need to log in before you can comment on or make changes to this bug.