Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Nov 2002 01:58:37 +0100 (CET)
From:      Matthias Buelow <mkb@informatik.uni-wuerzburg.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/45124: uw-imapd creates world-writable tmp file
Message-ID:  <200211080058.gA80wbWi006944@reiher.informatik.uni-wuerzburg.de>
next in thread | raw e-mail | index | archive | help 

>Number:         45124
>Category:       ports
>Synopsis:       uw-imapd creates world-writable tmp file
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 07 17:00:08 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Matthias Buelow
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
>Environment:
System: FreeBSD reiher.informatik.uni-wuerzburg.de 4.7-STABLE FreeBSD 4.7-STABLE #3: Wed Oct 16 20:40:58 CEST 2002 root@reiher.informatik.uni-wuerzburg.de:/usr/obj/usr/src/sys/REIHER i386

>Description:

The UW imap server (<ports>/mail/imap-uw) seems to create a world writable
file in /tmp, owned by the imap account user, where it records its PID:

# ls -l /tmp
total 6
-rw-rw-rw-  1 mlmkb  wheel    5 Nov  8 01:44 .20d05.60c0a
# cat /tmp/.20d05.60c0a 
63918
# ps uxp 63918
USER    PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
mlmkb 63918  0.0  0.1  1812 1248  ??  Is    1:44AM   0:00.02 imapd

There seems to be an advisory lock on the file (vi complains, for
example) but this is no protection at all; a simple echo >> f
will append to the file, for example.

The bug could be used to allocate disk blocks on behalf of another
user.  I don't know whether it could be used for further disruption
(such as replacing the pid in there with that of another process
owned by the user).

imapd version is IMAP4rev1 2001.315

>How-To-Repeat:

See above.

>Fix:

Contact the uw-imapd maintainer for requesting a bug fix.

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211080058.gA80wbWi006944>