Rapid7 Vulnerability & Exploit Database

RHSA-2000:080: tmpwatch has a local denial of service and root exploit

Back to Search

RHSA-2000:080: tmpwatch has a local denial of service and root exploit



tmpwatch as shipped in Red Hat Linux 6.1, 6.2, and 7.0 uses fork() to recursively process subdirectories, enabling a local user to perform a denial of service attack. Tmpwatch from Red Hat Linux 6.2 and 7.0 also contains an option to allow it to use the fuser command to check for open files before removal. It executed fuser in an insecure fashion, allowing a local root exploit.

The tmpwatch program periodically cleans up files in temporary directories by removing all files older than a certain age. In Red Hat Linux 6.1, 6.2, and 7.0, it used fork() to recursively process subdirectories. If a malicious user created many layers of subdirectories (thousands) in a temporary directory monitored by tmpwatch, the system process table would fill up, requiring a reboot. Additionally, tmpwatch in 6.2 and 7.0 contains an option, "--fuser", that attempts to user the fuser command to check if a file is in use before removal. However, it executed fuser with the system() call in an insecure fashion. A malicious user could construct an environment such that this provided them a local root shell. Tmpwatch now uses execle() to run fuser.


  • redhat-upgrade-tmpwatch

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center