Re: asfsm: It looked merely broken, but now I see it's dangerous.

Michal Vitecek (M.Vitecek@sh.cvut.cz)
Wed, 26 Aug 1998 12:43:26 +0200


 well, if u used asfsm_lite, u'd be much more safe. it doesn't write to any
 file and doesn't use the system() command to retrieve information about
 mounted filesystems and free space on them. and it's better IMO :)
 definitely check it out.

Kris Coward wrote:
>I noticed something kinda bleh with asfsm today..
>I ssh-ed into my home machine (while I still have a solid connection) from the
>login window after running xinit (so I wouldn't have the wm at work get in the
>way), and having this login window up revealed a great deal to me.
>It kept giving me the error message: /usr/tmp/statfs: Permission denied. or
>something to that effect, so I take a look at this statfs, and lo and behold,
>it belongs to root (I have several X servers running at once, the first one of
>which was started is running as root). It appears to be the file that asfsm
>uses to store disk usage information, and it's overwritten completely as root
>every 30s... in a *WORLD WRITEABLE DIRECTORY*
>This is a Very Bad Thing, since any schmuck could (in /usr/tmp) do ln -s
>/etc/passwd statfs. It's also a Sortof Bad Thing in that if you have multiple
>copies of asfsm running as different users, all but one of them fill up the
>terminal with useless error messages, that and for some reason, the statfs that
>was cluing me into this problem was quite stale, and giving bad information to
>me.
>Needless to say.. this could use fixing.. I'm going to try to find time to
>patch it up myself, but if there's no further word in a week, I've had no luck.
>
>I will also be posting notice of this on bugtraq.
>
>Kris Coward
>
>--
>   WWW:   http://www.afterstep.org/
>   FTP:   ftp://ftp.afterstep.org/
>   MAIL:  http://www.caldera.com/linuxcenter/forums/afterstep.html
>

-- 
			fuf


------------------------------ na IRC -------------------------------------
 BillGates [bgates@www.microsoft.com] has joined #LINUX
 ...
 mode/#linux [+b BillGates!*@*] by DoDad
 BillGates was kicked off #linux by DoDad (banned: We see enough of Bill
          Gates already.)
 


--
   WWW:   http://www.afterstep.org/
   FTP:   ftp://ftp.afterstep.org/
   MAIL:  http://www.caldera.com/linuxcenter/forums/afterstep.html