This is the mail archive of the cygwin-xfree@cygwin.com mailing list for the Cygwin XFree86 project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Logfile symlink vulnerability

From: Alexander Gottwald <alexander dot gottwald at s1999 dot tu-chemnitz dot de>
To: cygwin-xfree at cygwin dot com
Date: Mon, 22 Mar 2004 10:22:28 +0100 (MET)
Subject: Re: Logfile symlink vulnerability
References: <405DE40B.7040101@tromer.org>
Reply-to: cygwin-xfree at cygwin dot com

On Sun, 21 Mar 2004, Eran Tromer wrote:

> Hi,
> 
> If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to
> whatever it's pointing to (see LogInit() in os/log.c). This allows
> standard symlink-following attacks.
> 
> Some possible fixes:
> * Place the logfile somewhere in the user's home directory.

The log may get quite big and starts trashing the homedirectory. 

> * Refuse to follow symlinks, or to write to existing files. Most users,
> failing to clean up logs, will not get new logs after the first failure.

What about removing the file before opening it for writing? 

> * Give the logfile a unique filename, a la the "uniq" utility.

Not an option. For support reasons we require a uniqe name on all systems
so we can tell them to send in /tmp/XWin.log.

bye
	ago
-- 
 Alexander.Gottwald@s1999.tu-chemnitz.de 
 http://www.gotti.org           ICQ: 126018723

References:
- Logfile symlink vulnerability
  - From: Eran Tromer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]