Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/5/84; site bunker.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!decvax!ittatc!bunker!garys
From: garys@bunker.UUCP (Gary M. Samuelson)
Newsgroups: net.lang.c
Subject: Re: The same PID? (nameless files?)
Message-ID: <987@bunker.UUCP>
Date: Tue, 10-Sep-85 11:06:32 EDT
Article-I.D.: bunker.987
Posted: Tue Sep 10 11:06:32 1985
Date-Received: Wed, 11-Sep-85 20:10:23 EDT
References: <867@brl-tgr.ARPA> <1567@utah-gr.UUCP> <574@baylor.UUCP>
Organization: Bunker Ramo, Trumbull Ct
Lines: 22

> Someone mentioned a security problem, using a scenario like this:
> 
> 	cracker observes root preparing to edit /etc/passwd
> 	cracker creates a bunch of files in /tmp with the same name
> and so on as the editor, pids increasing fron current pid to some large
> number.
> 	editor creates temp files & cracker has read/write access to same.

How will said cracker have read/write access to the file the editor
created?  The fact that there used to be a different file of the same
name is irrelevant, isn't it?

> This is about the only situation I can see where mktemp does anything
> worthwhile that sprintf("/tmp/foo%dx%d", getpid(), i++) doesn't. Of course
> in a case like this vipw should really create a nameless file.

A nameless file?  What is that?  How does one create/open/unlink it?

> 	Peter (Made in Australia) da Silva

Gary Samuelson
ittatc!bunker!garys