Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site prcrs.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!panda!talcott!harvard!seismo!trwatf!rlgvax!prcrs!joel
From: joel@prcrs.UUCP (Joel C. McClung)
Newsgroups: net.bugs.v7
Subject: slight security bug in /bin/sort
Message-ID: <253@prcrs.UUCP>
Date: Tue, 16-Jul-85 15:25:27 EDT
Article-I.D.: prcrs.253
Posted: Tue Jul 16 15:25:27 1985
Date-Received: Thu, 18-Jul-85 06:52:48 EDT
Distribution: net
Organization: PRC Realty Systems (McLean, VA)
Lines: 20

There is a slight security bug in /bin/sort when it creates temporary
files in /usr/tmp.  The temporary files are of the form: stmPIDXX where
PID is the process id, and XX is a set of barber-pole characters (aa,
ab, ac, ..., az, ba, bb, etc).  The first temporary file is created
with a mode of 600, but any subsequent tmp files are created with your
default permissions.

Repeat by:
	Run /bin/sort on a very large file and look at the temp
	files created in /usr/tmp.  On my system, a new temp file
	is created whenever the current tmp file is approximately
	12,500 bytes large.

Fix:	I can't.  We are a binary-only site.

-- 
Joel C. McClung	 {seismo!rlgvax,cbosgd!dolqci,nrcaero,petsd,pesnta}!prcrs!joel
Planning Research Corporation
1500 Planning Research Drive
McLean, VA 22102	 (703) 556-2644