product: networker 6.0 date: 19.01.2003 author: l0om <l0om (at) excluded (dot) org [email concealed]> possible symlink attack in shutdown scribt the networker is a backup and storeage system from fujitsu siemens. the shutdown (nsr_shutdown) scribt from networker version 6.0 contains a the following: zero_worklist() { [...] rm -f /tmp/nsrsh$$ echo '. type: nsr group' > /tmp/nsrsh$$ # <---------------- echo 'update work list:; completion:' >> /tmp/nsrsh$$ nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1 rm -f /tmp/nsrsh$$ } [...] as we all know the "$$" is no protection against symlink attacks a user could creat a symbolic link from /tmp/nsrsh(guessed pid) to somewhere in the system and could create or overwrite any file on the system because it must be executed with root priv. a better handling would be something like: TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$ echo '. type: nsr group' > $TMPFILE echo 'update work list:; completion:' >> $TMPFILE nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1 rm -f $TMPFILE or "mktemp /tmp/phun.XXXXXX" - have phun - l0om - www.excluded.org