>Number:         3525
>Category:       security
>Synopsis:       small race in motd frob in /etc/rc
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 22 10:35:03 1997
>Last-Modified:
>Originator:     Mike Grupenhoff
>Organization:
	
>Release:        -current 4/22/97
>Environment:
-current as of 4/22/97

>Description:
	/etc/rc frobs the current kernel version string by using a file in
	/tmp.  However, this occurs after inetd is started, and the file
	is created non-atomically, so there is a smallish potential for
	someone to sneak a symlink in place.
>How-To-Repeat:
	Inspect the following code in /etc/rc:

T=/tmp/_motd
rm -f $T
sysctl -n kern.version | sed 1q > $T
echo "" >> $T
sed '1,/^$/d' < /etc/motd >> $T
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T

	Notice that inetd is started before this runs.

>Fix:
	Either move the tmp file to a non-world writeable dir,
	perhaps /etc/_motd, or create a subdirectory in /tmp and
	play in there, or have this occur earlier in /etc/rc before
	any other daemons are started.
>Audit-Trail:
>Unformatted: