Subject: security/3525: small race in motd frob in /etc/rc
To: None <>
From: Mike Grupenhoff <>
List: netbsd-bugs
Date: 04/22/1997 13:33:42
>Number:         3525
>Category:       security
>Synopsis:       small race in motd frob in /etc/rc
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 22 10:35:03 1997
>Originator:     Mike Grupenhoff
>Release:        -current 4/22/97
-current as of 4/22/97

	/etc/rc frobs the current kernel version string by using a file in
	/tmp.  However, this occurs after inetd is started, and the file
	is created non-atomically, so there is a smallish potential for
	someone to sneak a symlink in place.
	Inspect the following code in /etc/rc:

rm -f $T
sysctl -n kern.version | sed 1q > $T
echo "" >> $T
sed '1,/^$/d' < /etc/motd >> $T
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T

	Notice that inetd is started before this runs.

	Either move the tmp file to a non-world writeable dir,
	perhaps /etc/_motd, or create a subdirectory in /tmp and
	play in there, or have this occur earlier in /etc/rc before
	any other daemons are started.