From owner-freebsd-hackers  Fri Oct 18 18:54:44 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA09753
          for hackers-outgoing; Fri, 18 Oct 1996 18:54:44 -0700 (PDT)
Received: from arvidsjaur (arvidsjaur.anu.edu.au [150.203.160.29])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA09748
          for <freebsd-hackers@FreeBSD.org>; Fri, 18 Oct 1996 18:54:41 -0700 (PDT)
Received: by arvidsjaur.anu.edu.au id <65052-172>; Sat, 19 Oct 1996 11:50:50 +1000
From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: bde@zeta.org.au
CC: freebsd-hackers@FreeBSD.org, Guido.vanRooij@nl.cis.philips.com,
        julian@whistle.com
In-reply-to: <199610190115.LAA27084@godzilla.zeta.org.au> (message from Bruce
	Evans on Sat, 19 Oct 1996 11:15:27 +1000)
Subject: Re: fix for symlinks in /tmp (fwd) FYI
Reply-to: Andrew.Tridgell@anu.edu.au
Message-Id: <96Oct19.115050+1000est.65052-172+234@arvidsjaur.anu.edu.au>
Date: 	Sat, 19 Oct 1996 11:50:40 +1000
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

> >so doopen is set to NULL, meaning don't create. This means anyone
> >using mktemp() still needs to be careful about setting O_EXCL. Does
> >gcc on BSD do this? 
> 
> Not in FreeBSD.

sorry to be so dumb, but do you mean "not in FreeBSD" as in "FreeBSD
is not vulnerable" or "not in FreeBSD" as in "gcc on FreeBSD doesn't
do the right thing"

I strongly suspect that gcc does the same thing on all
platforms, so its probably vulnerable on all platforms.

> There is still a race (with a much smaller window) if O_EXCL isn't
> used even if symlinks aren't followed.

hmmm, do you mean the user creating a world writeable file (not a
symlink) in /tmp of the right name? Its not as nasty as the things you
can do with symlinks, but yes, it can be used to subvert security.

Its only a security risk when the program doing the /tmp stuff can be
made to do something nasty by changing the data in its /tmp
files. Luckily this is much harder than the symlink style of attack
(where you just point the link at some other programs data file,
thereby giving you a much wider range of programs to attack)

I suppose you could do this with gcc by changing the assembler code in
the /tmp file to do something nasty, perhaps while root is compiling
the kernel. It would not be easy though.

Cheers, Andrew