OpenSSH tmp cleanup
Nalin Dahyabhai
nalin at redhat.com
Sat Jun 9 02:36:31 EST 2001
On Fri, Jun 08, 2001 at 10:40:28AM +0200, Markus Friedl wrote:
> On Thu, Jun 07, 2001 at 08:07:32PM -0400, Nalin Dahyabhai wrote:
> > On Thu, Jun 07, 2001 at 10:52:33PM +0200, Markus Friedl wrote:
> > > did someone check this?
> >
> > The patch appears to prevent the deletion of wrong files, but it still
> > looks to me that if a local user can hit the window between the
> > mkdtemp() and open() calls, he can cause the cookie file to be created
> > in any directory the superuser can write to.
>
> how can he do this?
>
> we switch to the uid of the user before mkdtemp() and back after
> the call to open().
My mistake. I didn't read that part of the patch closely enough,
and got confused by the call to restore_uid() in cases where mkdtemp()
fails. Never mind.
Sorry for the confusion.
Nalin
More information about the openssh-unix-dev
mailing list