Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)
paul.szabo at sydney.edu.au
paul.szabo at sydney.edu.au
Fri Oct 14 20:25:59 UTC 2016
Dear Salvatore,
> You are operating here outside of /tmp (sticky world-writable
> directory) which the above issue for the init scripts relies on,
> right? fs.protected_(hardlinks|symlinks) is exactly a hardening for
> those issues:
> https://www.kernel.org/doc/Documentation/sysctl/fs.txt
I see: the kernel now treats things in /tmp (with sticky bit
permissions) differently from other places (without "weird"
permissions). Thanks for pointing this out for me!
(I never noticed this change...)
Then I agree that this issue is not exploitable in default Debian,
no need for DSA. (Sorry about the noise.)
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the pkg-java-maintainers
mailing list