We just had a case where finding script output files in /tmp or /var/tmp or other world writeable dirs, could be written as symlinks by an unprivileged user to cause harm.
It's not easily exploitable due to the output file having to NOT exist and also the user knowing what name it will be, but it is possible.
e.g
If user1 (normal user) wrote a symlink in /tmp to /etc/passwd
user1# ln -s /tmp/script.out /etc/passwd
Then a script came along running as root and created output or debug or anything to /tmp/script.out then it would overwrite /etc/passwd and obviously cause trouble to the system.
As said the user would need to know what scripts would be ran as root and where to output but people sometimes forget to chmod 750 ot 700 certain scripts.
If therefore check any output file i'm going to create as below :-
Code:
output_security()
{
# Check any file to be used is not a symlink elswhere.
# If exceptions are needed dont call this function
# This is an e.g so doesn't include checking $@
for FILE in $@
do
if [ -h ${FILE} ];then
print "ERROR: File [${FILE}] is a sym link and not a regular file" >&2
print "Potential Security Risk so exiting" >&2
exit 2
}
outputfile=/tmp/$(basename $0).out
tmpfile=/tmp/$(basename $0).tmp
output_security "${outputfile} ${tmpfile}"
....blah blah
