Julien L. reported a bug in the way sysstat creates a temporary file during startup.
Sysstat package provides the sar and iostat commands for Linux. Sar and
iostat enable system monitoring of disk, network, and other IO activity.
When sysstat service starts or restarts, a part of the sysstat script
located in the /etc/init.d directory is executed.
/etc/init.d/sysstat (from a Red Hat EL5 distribution):
31 rm -f /tmp/sysstat.run
33 # See how we were called.
34 case "$1" in
36 echo -n "Calling the system activity data collector (sadc): "
37 /usr/lib/sa/sadc -F -L - && touch /tmp/sysstat.run
The temporary file "sysstat.run" is created in an insecure manner in the
tmp directory. A simple user is abble to create a file wherever on the
system using a symlink attack.
This flaw is only exploitable when the sysstat service is issued a "start"
command. This is only exploitable by a local user when the system switches
runlevels (the most likely being the move from runlevel 3 to runlevel 5 during
startup). It's also possible if an admin run "service sysstat start".
Running "service sysstat restart" will not trigger the flaw.
Reference to Gentoo bugzilla, contains a patch:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:1005 https://rhn.redhat.com/errata/RHSA-2011-1005.html
This issue did not affect the versions of sysstat as shipped with Red Hat Enterprise Linux 4. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2011:1005 advisory.