Subject: Re: [suse-security] SuSE Security Announcement - aaa_base
To: None <>
From: Thomas Michael Wanka <>
List: tech-security
Date: 04/29/2000 17:05:44
  by with SMTP; 29 Apr 2000 15:04:18 -0000
          (InterMail vK. 201-232-116-110 license 1f48a2e5282ae02b3513b45a0a10fc26)
          with ESMTP id <20000429150358.CQVH13685.viemta04@default>
          for <>; Sat, 29 Apr 2000 17:03:58 +0200
From: "Thomas Michael Wanka" <>
Date: Sat, 29 Apr 2000 17:05:44 +0200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: [suse-security] SuSE Security Announcement - aaa_base
Message-ID: <390B1668.6351.AAD2E13@localhost>
Priority: normal
In-reply-to: <>


I include a security information I just got. I have some users homedirs set to 
/tmp as they need to be there by default. Am I right that the mentioned 
security issue (bash profiles in /tmp) affects my system.



On 29 Apr 2000, at 16:28,  wrote:

>  Two vulnerabilities have been found:
>   1) The cron job /etc/cron.daily/aaa_base does a daily checking of files
> in
>   /tmp and /var/tmp, where old files will be deleted if configured to do
> so.
>   Please note this this feature is NOT activated by default
>   2) Some system accounts have their homedirectories set to /tmp by
> default.
>   These are the users games, firewall, wwwrun and nobody on a SuSE 6.4.
> 2. Impact
>   1) If the /tmp cleanup is activated, any file or directory can be
> deleted
>   by any local user
>   2) If an attacker creates dot files in /tmp (e.g. bash profiles),
> these
>   might be executed if someone uses e.g. "su - nobody" to switch to the
>   nobody user. This can lead to a compromise of that userid.
>   This vulnerability is present in several other unix systems as well -
>   please check all!
> 3. Solution
>   1) Update the package from our FTP server.
>   2) The root user will receive a email with the accounts listed which
> have
>   a homedirectory in /tmp. You have to fix this by hand, because some
>   installations might break if they rely on information saved in the
> (unsafe)
>   /tmp homedirectory.
>   The email will give more information what to do.