Red Hat Bugzilla – Bug 6645
Race condition in /etc/profile.d/lang.csh allows trojans
Last modified: 2014-03-16 22:11:01 EDT
/etc/profile.d/lang.csh contains the lines
sed ... > /tmp/csh.$$
which is a classic security gotcha race condition. A symlink
flipping attack or similar (with pid prediction) allows any
local user to substitute code that will be run by the
attacked user. /tmp should *never* be used directly for
creating temporary files like that. Either per-user temp
directories should be used or else you can jump through
hoops and create a temp directory within /tmp, do some
stringent checks and then put your temp file in that one.
I think the OpenBSD crowd probably have a script for that.
In this case, you don't need a temp file in any case and
eval would be better. I'll give this a couple of weeks to
be fixed before notifying bugtraq.
fixed in the 4.63-1 errata release.