From owner-linux-security@tarsier.cv.nrao.edu Sat Sep 2 11:42:09 1995 Received: from tarsier.cv.nrao.edu (tarsier.cv.nrao.edu [192.33.115.50]) by redhat.com (8.6.11/8.6.9) with ESMTP id LAA10004 for ; Sat, 2 Sep 1995 11:42:05 -0400 Received: (from majdom@localhost) by tarsier.cv.nrao.edu (8.6.12/8.6.9) id IAA06787; Sat, 2 Sep 1995 08:47:44 -0400 Received: from cortex.AMS.Med.Uni-Goettingen.DE (root@cortex.AMS.Med.Uni-Goettingen.DE [134.76.140.101]) by tarsier.cv.nrao.edu (8.6.12/8.6.9) with ESMTP id FAA06456; Sat, 2 Sep 1995 05:57:10 -0400 Received: by cortex.AMS.Med.Uni-Goettingen.DE (Smail3.1.29.1 #9) id m0sopJH-0005G8C; Sat, 2 Sep 95 11:56 MET DST Date: Sat, 2 Sep 1995 11:56:22 +0200 (MET DST) From: Lutz Pressler To: Olaf Kirch cc: linux-security@tarsier.cv.nrao.edu, BUGTRAQ@CRIMELAB.COM Subject: elm and /tmp/mbox.*: patch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-linux-security@tarsier.cv.nrao.edu Precedence: list Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hello, as Olaf Kirch found out, elm (at least 2.4, including elm-2.4pl24me6) opens it's temporary mbox file in /tmp without checking for existing symlinks. This can be exploited by a local user: for example to create an .rhosts file for another account which has none yet - with valid entries, thus getting access to that account. The following patch (to be applied in the elm distribution directory) disables this possibility by changing the temporary mailbox file location to be .mbox.* in the users' home directory. This prohibits multiple elm sessions on different hosts with shared home dir, but as in this case the mail spool is probably shared, too, this should not be a problem. It seems that the other files sometimes created by elm in /tmp are not so problematic. I haven't checked this thoroughly yet though. Regards, Lutz Patch follows (remove PGPs "- " !): --- elm2.5.3/hdrs/sysdefs.SH.security Tue Feb 29 08:12:44 2000 +++ elm2.5.3/hdrs/sysdefs.SH Tue Feb 29 08:17:14 2000 @@ -107,7 +107,7 @@ #define default_temp "$tmpdir/" #define temp_file "snd." #define temp_form_file "form." -#define temp_mbox "mbox." +#define temp_mbox ".mbox." #define temp_print "print." #define temp_edit "elm-edit" #define temp_uuname "uuname." --- elm2.5.3/src/newmbox.c.security Tue Feb 29 08:10:35 2000 +++ elm2.5.3/src/newmbox.c Tue Feb 29 08:18:20 2000 @@ -244,7 +244,7 @@ char *cp; - sprintf(tempfn, "%s%s", default_temp, temp_mbox); + sprintf(tempfn, "%s/.elm/%s", user_home, temp_mbox); cp = basename(mbox); if (strcmp(cp, "mbox") == 0 || strcmp(cp, "mailbox") == 0 || strcmp(cp, "inbox") == 0 || *cp == '.') -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMEgqGE8rRJEuvpUdAQGQKAP9H2UXf3CbyC5/fZifAV9OzKoR6eGEwloA H/8+OJEfpwOacYCpcoi4Njkaj2bEzjlyRxzDnz0VBFPdurxvFsN2cM9qMAN2tvNZ qnP73hXFkLsi/ga8mmuVYeYgzoZJZOzPKSgA7SvtV8aD8WR/IK9Ze56beei5BIEx jlwv9TGpI7A= =82WU -----END PGP SIGNATURE----- -- Lutz Pre"sler Systemverwaltung -- Abt. Medizinische Statistik, Universit"at G"ottingen Humboldtallee 32, D-37073 G"ottingen, Tel.: +49(0551) 39-9774 FAX: -4995 [PGP-key:WWW&Keyserver] IRC:lp