Julien L. reported a bug in the way sysstat creates a temporary file during startup. Introduction ------------ Sysstat package provides the sar and iostat commands for Linux. Sar and iostat enable system monitoring of disk, network, and other IO activity. When sysstat service starts or restarts, a part of the sysstat script located in the /etc/init.d directory is executed. /etc/init.d/sysstat (from a Red Hat EL5 distribution): ... 31 rm -f /tmp/sysstat.run 32 33 # See how we were called. 34 case "$1" in 35 start) 36 echo -n "Calling the system activity data collector (sadc): " 37 /usr/lib/sa/sadc -F -L - && touch /tmp/sysstat.run 38 ... The temporary file "sysstat.run" is created in an insecure manner in the tmp directory. A simple user is abble to create a file wherever on the system using a symlink attack. This flaw is only exploitable when the sysstat service is issued a "start" command. This is only exploitable by a local user when the system switches runlevels (the most likely being the move from runlevel 3 to runlevel 5 during startup). It's also possible if an admin run "service sysstat start". Running "service sysstat restart" will not trigger the flaw.
Reference to Gentoo bugzilla, contains a patch: http://bugs.gentoo.org/show_bug.cgi?id=188808
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html
Statement: This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.