From owner-freebsd-bugs  Sun Aug 16 11:00:05 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA02422
          for freebsd-bugs-outgoing; Sun, 16 Aug 1998 11:00:05 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02412
          for <freebsd-bugs@FreeBSD.org>; Sun, 16 Aug 1998 11:00:03 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id LAA27841;
	Sun, 16 Aug 1998 11:00:00 -0700 (PDT)
Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA02101
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 16 Aug 1998 10:53:58 -0700 (PDT)
          (envelope-from Recabarren!fpscha@ns2.sminter.com.ar)
Received: (from uucp@localhost)
          by ns2.sminter.com.ar (8.8.5/8.8.4)
	  id OAA22037 for freebsd.org!FreeBSD-gnats-submit; Sun, 16 Aug 1998 14:51:18 -0300 (GMT)
Message-Id: <199808161717.OAA01029@localhost.schapachnik.com.ar>
Date: Sun, 16 Aug 1998 14:17:55 -0300 (ART)
From: fpscha@schapachnik.com.ar
Reply-To: fpscha@schapachnik.com.ar
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/7632: Race condition in /stand/sysinstall
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7632
>Category:       bin
>Synopsis:       Race condition in /stand/sysinstall
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 16 11:00:00 PDT 1998
>Last-Modified:
>Originator:     Fernando P. Schapachnik
>Organization:
>Release:        FreeBSD 2.2.6-RELEASE i386
>Environment:

	

>Description:
/stand/sysinstall creates a temporary file named /tmp/doc.tmp. It first unlink any previous copy and then creates a new one. But between these syscalls somebody can ln -s /etc/passwd /tmp/doc.tmp. This will cause /etc/passwd being overwritten, as sysinstall runs as root.

	

>How-To-Repeat:
Run sysinstall and look at /tmp.

	

>Fix:
/var/run should be used instead of /tmp.
	
	


>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message