Logfile symlink vulnerability
Mon Mar 22 15:44:00 GMT 2004
On Sun, 21 Mar 2004, Eran Tromer wrote:
> If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to
> whatever it's pointing to (see LogInit() in os/log.c). This allows
> standard symlink-following attacks.
> Some possible fixes:
> * Place the logfile somewhere in the user's home directory.
The log may get quite big and starts trashing the homedirectory.
> * Refuse to follow symlinks, or to write to existing files. Most users,
> failing to clean up logs, will not get new logs after the first failure.
What about removing the file before opening it for writing?
> * Give the logfile a unique filename, a la the "uniq" utility.
Not an option. For support reasons we require a uniqe name on all systems
so we can tell them to send in /tmp/XWin.log.
http://www.gotti.org ICQ: 126018723
More information about the Cygwin-xfree