bsd-init.txt symlink attack

Wouter Van Hemel wouter at
Mon Dec 2 21:21:58 PST 2002


I might already have emailed you a while ago, but allow me to push a bit
to get this fixed. ;)

These lines in the bsd-init.txt hint allow a symlink attack:

echo "Saving random seed to a temporary file..."
/bin/dd if=/dev/urandom of=/tmp/random-seed count=1 bs=512 2>/dev/null

... you might want to save 'random-seed' in a location only root has write
access to, maybe in /var/{spool,run,lib,state,whatever}. Root shouldn't
use public writable dirs, ever.

Sorry for the crosspost, I don't know who I should send this to for a fix.


Unsubscribe: send email to listar at
and put 'unsubscribe hints' in the subject header of the message

More information about the hints mailing list