Steven M. Bellovin wrote:
> On Thu, 19 Oct 2006 11:14:04 +0200, Jukka Salmi <j+nbsd@2006.salmi.ch>
> wrote:
> 
>> Christian Biere --> current-users (2006-10-19 03:32:51 +0200):
>>> Jukka Salmi wrote:
>>>> on a -current Kerberos V system login(1) works fine while xdm(1) doesn't
>>>> (both are using pam(8), default /etc/pam.d files). After successfully
>>>> logging in, xdm seems to remove the credentials cache file:
>>>  
>>>> [...]
>>>>   3508      1 xdm      CALL  __lstat30(0x806cca0,0xbfbfe094)
>>>>   3508      1 xdm      NAMI  "/tmp/krb5cc_1000"
>>> Might be off-topic but I find it odd that this thing creates a file in the
>>> world-writable directory /tmp with a non-random filename that contains the
>>> user ID.
>> The file is created with mode 0600 and is owned by the user whose uid
>> is contained in the file name.
>>
> What happens if someone creates a symlink of that name, pointing
> elsewhere?  Yes, I see the lstat, but that looks like a classic TOCTTOU
> race condition attack.

Looks like other parts of the code were adapted to use mkstemp(),
perhaps this bit should, too...

-e.

-- 
Elad Efrat