Security issue in Terminal
Kevin Chadwick
ma1l1ists at yahoo.co.uk
Thu Mar 8 19:15:39 CET 2012
On Thu, 8 Mar 2012 17:41:22 +0100
Guido Berhoerster wrote:
> > regarding world readable. You may grep something or cat something from a
> > file of mode 600, it is apparently written to /tmp by terminal. An
> > attacker running as _nobody could then create an empty file as that
> > user and read the data making that data world readable. I believe
>
> I don't get that part, provided that the temporary files are
> created in a secure manner, an unprivileged user cannot access
> them and also does not have access to the raw disk device.
When memory is initialised, because it's a fast inexpensive operation
the old memory is cleared. The data on filesystems is left around when
deleted as overwriting is expensive, you need root to access the device
directly but I believe all a user has to do is wait and create an empty
file the size of /tmp and run strings on it. I'd have to look up how
to do that again to prove it but I know you can create a large empty
file without writing.
More information about the Xfce
mailing list