Date: Tue, 24 Dec 1996 14:36:01 -0800 (PST) From: Steve Reid <steve@edmweb.com> To: Igor Roshchin <igor@alecto.physics.uiuc.edu> Cc: freebsd-security@freebsd.org Subject: Re: Holes in default cron jobs (fwd) Message-ID: <Pine.BSF.3.95.961224142301.219C-100000@bitbucket.edmweb.com> In-Reply-To: <199612242156.PAA23404@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> Excuse me, I was wondering (it might be stupid, 'cause I am probably > about something), why don't do a simple check for existence of the file, > something like > > if ( -f $TMP ) then > rm -rf $TMP > endif Possible race condition. What if the attacker replaces the $TMP file with a symlink, _after_ you perform that test, but _before_ you use create the actual file? while true; do ln -s /etc/passwd /tmp/secure_12345; done Also, an attacker could set up a whole bunch of processes to take CPU time away from the cron job, giving him lots of time between your test and the creation of the actual file. Who would notice such a thing at 2am? With all of the attention given to buffer overflows recently, it's easy to forget about race conditions and improper /tmp usage.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961224142301.219C-100000>