Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site prcrs.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!panda!talcott!harvard!seismo!trwatf!rlgvax!prcrs!joel From: joel@prcrs.UUCP (Joel C. McClung) Newsgroups: net.bugs.v7 Subject: slight security bug in /bin/sort Message-ID: <253@prcrs.UUCP> Date: Tue, 16-Jul-85 15:25:27 EDT Article-I.D.: prcrs.253 Posted: Tue Jul 16 15:25:27 1985 Date-Received: Thu, 18-Jul-85 06:52:48 EDT Distribution: net Organization: PRC Realty Systems (McLean, VA) Lines: 20 There is a slight security bug in /bin/sort when it creates temporary files in /usr/tmp. The temporary files are of the form: stmPIDXX where PID is the process id, and XX is a set of barber-pole characters (aa, ab, ac, ..., az, ba, bb, etc). The first temporary file is created with a mode of 600, but any subsequent tmp files are created with your default permissions. Repeat by: Run /bin/sort on a very large file and look at the temp files created in /usr/tmp. On my system, a new temp file is created whenever the current tmp file is approximately 12,500 bytes large. Fix: I can't. We are a binary-only site. -- Joel C. McClung {seismo!rlgvax,cbosgd!dolqci,nrcaero,petsd,pesnta}!prcrs!joel Planning Research Corporation 1500 Planning Research Drive McLean, VA 22102 (703) 556-2644