<<< Date Index >>>     <<< Thread Index >>>

Insecure Temporary Files in BMC/Control-M Agent



BMC's Control M is an enterprise scheduling facility. 
Unfortunately, 
the agent software suffers from a problem with
insecure temporary file 
creation.  We noticed the problem on Solaris systems
running the version 
6.1.03 with current patches; it is reasonable to
assume that other OS 
platforms and versions are also affected.
 
The scripts to be run by a Control M job are stored in
temporary files 
with names like:
/tmp/ctm/CMD.10637  
 
The contents appear to be the contents of a job as
created by a Control 
M user.
 
The /tmp/ctm directory is created during the first
scheduled job that 
is run following a reboot.  Normally it is created
with root ownership 
and 755 permissions.  Depending on how frequently jobs
are run on a 
particular client, this may leave a significant window
of opportunity for 
some nefarious soul to create this directory with
other permissions or 
to create appropriately (or inappropriately) named
links.
 
It is left as an exercise to the reader to identify
ways in which to 
screw the system to the ground.
 
One less than ideal work-around would be to create the
/tmp/ctm 
directory before sshd, inetd or cron start up--say at
/etc/rc2.d/S68 in the 
boot cycle on Solaris 8.
 
BMC has been notified of this problem and has opened
up problem ticket 
number BMPM010114.  According to BMC Support, a fix
will be 
"implemented in a future release."  Rather than
waiting, I strongly suggest the 
workaround above.
 
Good luck:
--Scott




        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com