Slackware Linux's ppp-off command uses /tmp insecurely by writing ps output to /tmp/grep.tmp, allowing an unprivileged user to overwrite any file as root.
1e2516ab243a13e088be91f759a25f88ce099f7410487a4e595a22b99aeb688c
Hi,
In SlackWare Linux the script /usr/bin/ppp-off writes the output of 'ps x'
to /tmp/grep.tmp
Since root is the user that runs ppp-off, a non-privileged user could create
a link from /tmp/grep.tmp to any file (ie: /etc/issue), thus when root runs
the ppp-off script, the output of 'ps x' would be put in the linked file.
The fix would be to replace every instance of /tmp/grep.tmp in the ppp-off
script to something along the line of /root/grep.tmp
Take care,
sinfony
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.