Date: Tue, 27 Oct 1998 16:23:43 -0600 From: "Patrick J. Volkerding" <gonzo@RRNET.COM> Subject: Re: Another nice tmp race To: BUGTRAQ@NETSPACE.ORG On Wed, 21 Oct 1998, Stefan Laudat wrote: > Playing with my new shiny Slackware 3.5 box I have noticed > something unusual. The in.pop3d daemon creates sometimes locks for some > mailboxes in /usr/tmp/.pop. The directory is drwxrwxrwt so there will be > no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or > whatever comes in your head. Be creative. As a test, I created this link logged in as a non-root user: /var/tmp/.pop/root -> /vmlinuz Here's the result when root tries to pop mail: +OK darkstar POP3 Server (Version 1.005l) ready at <Tue Oct 27 16:17:07 1998> user root +OK please send PASS command pass password -ERR being read already /usr/spool/mail/root quit +OK darkstar POP3 Server (Version 1.005l) shutdown. /vmlinuz was unchanged after this test. Conclusion: while the locking system used by in.pop3d may look suspect at first glance, it does not appear to be vulnerable. --- Patrick J. Volkerding Slackware Linux maintainer