tech-security: Re: [suse-security] SuSE Security Announcement

Subject: Re: [suse-security] SuSE Security Announcement - aaa_base
To: None <tech-security@netbsd.org>
From: Thomas Michael Wanka <tm_wanka@earthling.net>
List: tech-security
Date: 04/29/2000 17:05:44

  by mail.netbsd.org with SMTP; 29 Apr 2000 15:04:18 -0000
          (InterMail vK.4.02.00.10 201-232-116-110 license 1f48a2e5282ae02b3513b45a0a10fc26)
          with ESMTP id <20000429150358.CQVH13685.viemta04@default>
          for <tech-security@netbsd.org>; Sat, 29 Apr 2000 17:03:58 +0200
From: "Thomas Michael Wanka" <tm_wanka@earthling.net>
To: tech-security@netbsd.org
Date: Sat, 29 Apr 2000 17:05:44 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: [suse-security] SuSE Security Announcement - aaa_base
Reply-to: tm_wanka@earthling.net
Message-ID: <390B1668.6351.AAD2E13@localhost>
Priority: normal
In-reply-to: <20000429142806.E601567AD@Galois.suse.de>

Hi,

I include a security information I just got. I have some users homedirs set to 
/tmp as they need to be there by default. Am I right that the mentioned 
security issue (bash profiles in /tmp) affects my system.

thanks

mike

On 29 Apr 2000, at 16:28,  wrote:

>  Two vulnerabilities have been found:
> 
>   1) The cron job /etc/cron.daily/aaa_base does a daily checking of files
> in
>   /tmp and /var/tmp, where old files will be deleted if configured to do
> so.
>   Please note this this feature is NOT activated by default
> 
>   2) Some system accounts have their homedirectories set to /tmp by
> default.
>   These are the users games, firewall, wwwrun and nobody on a SuSE 6.4.
> 
> 2. Impact
> 
>   1) If the /tmp cleanup is activated, any file or directory can be
> deleted
>   by any local user
> 
>   2) If an attacker creates dot files in /tmp (e.g. bash profiles),
> these
>   might be executed if someone uses e.g. "su - nobody" to switch to the
>   nobody user. This can lead to a compromise of that userid.
>   This vulnerability is present in several other unix systems as well -
>   please check all!
> 
> 3. Solution
> 
>   1) Update the package from our FTP server.
> 
>   2) The root user will receive a email with the accounts listed which
> have
>   a homedirectory in /tmp. You have to fix this by hand, because some
>   installations might break if they rely on information saved in the
> (unsafe)
>   /tmp homedirectory.
>   The email will give more information what to do.