From owner-freebsd-security  Mon Feb 26 08:26:39 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id IAA28494
          for security-outgoing; Mon, 26 Feb 1996 08:26:39 -0800 (PST)
Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id IAA28483
          for <freebsd-security@freebsd.org>; Mon, 26 Feb 1996 08:26:31 -0800 (PST)
Received: by haven.uniserve.com id <30777-28103>; Mon, 26 Feb 1996 08:28:38 -0800
Date: 	Mon, 26 Feb 1996 08:28:33 -0800 (PST)
From: Tom Samplonius <tom@uniserve.com>
To: Mark Smith <msmith@comtch.iea.com>
cc: invalid opcode <coredump@nervosa.com>, taob@io.org,
        freebsd-security@freebsd.org
Subject: Re: Suspicious symlinks in /tmp
In-Reply-To: <199602261536.PAA11711@comtch.iea.com>
Message-ID: <Pine.BSF.3.91.960226082441.21606A-100000@haven.uniserve.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk


On Mon, 26 Feb 1996, Mark Smith wrote:

> > 
> > On Sun, 25 Feb 1996, Mark Smith wrote:
> > 
> > > > Looks like someone is trying to exploit a race condition in order to grab 
> > > > the password file.
> > > 
> > > Will this attack work under FreeBSD 2.1R ?
> > > Mark
> > 
> > A race condition attack will work under any OS when a race condition is 
> > possible.
> > 
> 
> Possibly, I didn't make my self clear.  Is this race condition possible
> under FreeBSD 2.1R ?

  The stock password file editing utils use /etc for temp space, so 
symlinks in /tmp is harmless.

  And as some have suggested, files pointed to by symlinks in /tmp 
will not be deleted during clearing of /tmp at bootup.

Tom