I ran into an Elm feature the other day which allows you to overwrite
anyone's files (provided that certain conditions are met). When Elm is
started, it creates /tmp/mbox.Mailbox, which is there only to tell it that a
copy of Elm is running. When you go to "m)ail a message", two more files are
created: /tmp/snd.PID and /tmp/est.PID, where PID is the PID of that Elm
process. snd.PID is the tempfile where the actual message you're writing is
stored, and est.PID contains some sort of temporary data. The problem lies
in the fact that Elm doesn't check if these already exist, and the filenames
are quite predictable.
If you are so inclined, you could write a program to keep checking if people
are starting Elm, and when someone does, make appropriate hard links, for
example /tmp/est.PID -> /home/victim/important_file, and when the victim
goes to compose a new message, his important_file will be trash.
Another thing this can be used for is stealing the person's mail. If you
hardlink /tmp/snd.PID to a world writable file owned by you, the message
that the user writes will be written to it and elm wont have permission to
remove it (since its owned by you), so you end up with the mail that the
victim sent. Its possible to set up a daemon to grab ALL outgoing mail of a
user, this way.
Fix? Well, Elm should check for the existence of these temporary files
before writing to them. If they are there, it should just give an error
message and quit. But, then again, this would make it possible for people to
deny everyone Elm service by simply touch-ing all the possible tempfile
names in /tmp... anyway.
The only version I tried this on is 2.4 PL24 (Linux), which I think is the
latest one.
If I've discovered an old bug, I apologize.
fflush