OpenSSH tmp cleanup

Nalin Dahyabhai nalin at redhat.com
Sat Jun 9 02:36:31 EST 2001


On Fri, Jun 08, 2001 at 10:40:28AM +0200, Markus Friedl wrote:
> On Thu, Jun 07, 2001 at 08:07:32PM -0400, Nalin Dahyabhai wrote:
> > On Thu, Jun 07, 2001 at 10:52:33PM +0200, Markus Friedl wrote:
> > > did someone check this?
> > 
> > The patch appears to prevent the deletion of wrong files, but it still
> > looks to me that if a local user can hit the window between the
> > mkdtemp() and open() calls, he can cause the cookie file to be created
> > in any directory the superuser can write to.
> 
> how can he do this?
> 
> we switch to the uid of the user before mkdtemp() and back after
> the call to open().

My mistake.  I didn't read that part of the patch closely enough,
and got confused by the call to restore_uid() in cases where mkdtemp()
fails.  Never mind.

Sorry for the confusion.

Nalin



More information about the openssh-unix-dev mailing list