Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'System sleep depending on login & logout' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
System sleep depending on login & logout
Authored by: thrig on Jan 04, '05 11:35:29AM

The following code must not be used where untrusted users have local access as it is a security risk.

echo $1 > /tmp/login_$1.LOCK

A malicious local attacker can simply create symbolic links in advance, then wait for the appropriate user to login:

$ ln -s /mach.sym /tmp/login_john.LOCK

Or automate the process for all users via scripting:

#!/bin/sh

FILE_TO_TRASH=/mach.sym

# populate links from NetInfo database
nidump passwd / | awk -F: '{print $1}' | while read user; do
ln -s $FILE_TO_TRASH /tmp/login_$user.LOCK
done

To avoid this class of security problem, do not use shared /tmp directories if at all possible. Alternatives include creating a custom directory for exclusive use by login/logout scripts, writing to a database instead of the filesystem, or the mktemp command. mktemp uses a special system call to ensure exclusive access to files under /tmp.

More information on secure temporary file handling.



[ Reply to This | # ]
System sleep depending on login & logout
Authored by: leb on Jan 04, '05 11:49:48AM

A valid point to this security issue. In my case, the system is at home, so quite a secure environment.



[ Reply to This | # ]