Date: Mon, 11 Nov 2002 11:14:25 +0000 (GMT) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Joshua Goodall <joshua@roughtrade.net> Cc: jdp@freebsd.org, security <security@freebsd.org> Subject: Re: Security issue in net/cvsup-mirror port Message-ID: <Pine.GSO.4.44.0211111114070.27378-100000@mail.ilrt.bris.ac.uk> In-Reply-To: <20021109231151.GF33758@roughtrade.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 10 Nov 2002, Joshua Goodall wrote: > Hi, > > Better not to file a PR for this, I feel. > > I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that > it appends to the fixed-name file /var/tmp/cvsupd.out > > Therefore if I were a malicious user, I could make a symlink of that > name in /var/tmp to effect arbitrary file corruption. If > I was really clever, I might point it at /root/.ssh/authorized_keys and > use secondary means to get cvsupd's output to include my public key. > > Consider changing it to /var/log/cvsupd.out ? Yep. Also, consider mounting /var/tmp with nosymfollow. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Hang on, wasn't he holding a wooden parrot? No! It was a porcelain owl. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0211111114070.27378-100000>