[LWN Logo]

Date:	Tue, 27 Oct 1998 16:23:43 -0600
From:	"Patrick J. Volkerding" <gonzo@RRNET.COM>
Subject:      Re: Another nice tmp race
To:	BUGTRAQ@NETSPACE.ORG

On Wed, 21 Oct 1998, Stefan Laudat wrote:
>         Playing with my new shiny Slackware 3.5 box I have noticed
> something unusual. The in.pop3d daemon creates sometimes locks for some
> mailboxes in /usr/tmp/.pop. The directory is  drwxrwxrwt so there will be
> no problem in creating nice links to /zImage, /vmlinuz, /etc/shadow or
> whatever comes in your head. Be creative.

As a test, I created this link logged in as a non-root user:

/var/tmp/.pop/root -> /vmlinuz

Here's the result when root tries to pop mail:

+OK darkstar POP3 Server (Version 1.005l) ready at <Tue Oct 27 16:17:07
1998>
user root
+OK please send PASS command
pass password
-ERR being read already /usr/spool/mail/root
quit
+OK darkstar POP3 Server (Version 1.005l) shutdown.


/vmlinuz was unchanged after this test.  Conclusion:  while the locking
system used by in.pop3d may look suspect at first glance, it does not
appear to be vulnerable.


---
Patrick J. Volkerding
Slackware Linux maintainer