RH 6.x


    Jin-Ho You  posted following.   Note that  this has  been  already
    reported in:

    DiskCheck  is  a  Perl  script  that  monitors  how  much space is
    available on  your hard  drive.   Basically, it  checks your drive
    space every hour and takes  action based on the specifications  in
    the config file /etc/diskcheck.conf.

    The command, /etc/cron.hourly/  is executed with  root
    privilege every hour.  It creates a temporary file, whose  default
    name     is      /tmp/diskusagealert.txt.<pid>     defined     in
    /etc/diskcheck.conf,  is  predictable  and  is  willing  to follow
    symbolic links.   This may allow  malicious local users  to create
    or overwrite arbitrarily named files.

    To exploit, the following cron job creates the file, /etc/nologin:

        0 * * * * perl -e 'foreach $i (1..200) { $pid = $$ + $i; \
           symlink("/etc/nologin", "/tmp/diskusagealert.txt.$pid"); }'


    Relocate the temporary file into the directory where root only can
    create a file.  For example, edit /etc/diskcheck.conf:

        $tempfile = '/var/local/diskusagealert.txt'

        # ls -ld /var/local
        drwxr-xr-x   2 root     root         1024 Feb  7  1996 /var/local/

    It is fixed in Red Hat's current rawhide, and in Red Hat Pinstripe
    (7.0 beta).

    For Conectiva Linux: