[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Problem with default slackware crontabs
From: Andi Gutmans <andi () vipe ! technion ! ac ! il>
Date: 1996-12-25 13:24:19
[Download RAW message or body]
Hey,
On my redhat system this isn't the case.
The temp file of db is in /var/lib which is only writeable by root.
Andi
At 14:34 24/12/96 -0900, Jon Snyder wrote:
>Using Slackware 3.0, I noticed a problem with the default root crontab. It
>runs updatedb at 7:40 a.m. every day, but unforunately updatedb has a
>temporary file security problem--it doesn't check for symlinks (or if the
>file exists, for that matter). updatedb will write to /var/tmp (or
>/usr/tmp), and although the filename includes the PID of the shell the
>script is running under, a vulnerability still exists. I've taken updatedb
>out of my crontab, because locate is never used on my system. However, it
>might be wise to modify the script so as to prevent exploits from
>compromising your systems.
>
>
>Jon Snyder
>Student Network Technician, FNSBSD
>(907) 452-2000 x. 376
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic