1) install.sh insecure use of temporary files allows for arbitrary file appending as root install.sh is run at installation time to kick of the installation of the LiveVault sofware. $LOGFILE is set to /tmp/lvinstall.log and progress of the installation is appended to $LOGFILE as needed. Since no precautions are taken to properly utilize a temporary file such as $LOGFILE (mktemp, or checking for existance of the file prior to writing), a symlink attack can be launched: ln -s /etc/some_important_file /tmp/lvinstall.log Now, when install.sh is run, the target of the symlink (in this case, /etc/some_important_file) will have the progress of the LiveVault installation appended to it. Since install.sh must run as root, the amount of damage a local attacker can do is quite extensive. 2) uninstall.sh insecure use of temporary files allows for arbitrary file appending as root Identical to problem #1, except that this occurs when LiveVault is uninstalled. uninstall.sh does install.sh tmp better and overwrites the target of /tmp/hosts on line 69 and the target of /tmp/crontab.temp on line 76. 3 ) install_subr.sh install_tools() insecure use of temporary files allows for arbitrary file overwrite as root Similar to problems #1 and #2. install.sh sources install_subr.sh. If check_tools() in install_subr.sh determines that gnupg needs to be installed and $HOME/.gnupg/options exists (unlikely, considering ~/.gnupg/options is non-standard), a similar symlink attack can be mounted against /tmp/option.temp. The key difference here is that this allows a local attacker to *overwrite* files with the contents of $HOME/.gnupg/options as opposed to just appending said content to the end of the target file. This blatant disregard for security is rampant through all of the LiveVault scripts. The following are the remainder of the insecure temporary file issues I found, albeit much more brief than the first 3: scripts/add_backup.sh (symlink attack against /tmp/backup_list.temp, line 224) scripts/add_redirect.sh (symlink attack against /tmp/backup_list.temp, line 98) scripts/browse_server.sh (symlink attack against /tmp/lvgftprc.temp, line 121. Only exploitable when something other than sftp is used to browse the LiveVault backups, namely gftp. Allows arbitrary file overwrite as root) scripts/disable_email.sh (symlink attack against /tmp/backup_info.temp, line 65) scripts/import_customer_keys.sh (yet another symlink attack. This time, against /tmp/restorekey.$$ and /tmp/restorekey2.$$. While an exhaustive attack could be launched against all possible pids, this attack is considerably easier as prior to the usage of thos two files, the user running the script is prompted for information, thereby giving an attack ample time to potentially see the pid and launch an attack.) scripts/load_restore_media.sh (symlink attack against /tmp/loaderrors1 and /tmp/loaderrors2, line 93) scripts/remove_backup.sh (symlink attack against /tmp/backup_list.temp, line 36) scripts/remove_redirech.sh (symlink attack against /tmp/socemail2, line 50) scripts/set_bandwidth.sh (symlink attack against /tmp/backup_info.temp, line 51) scripts/trim_logs.sh (symlink attack against /tmp/list$$. Must simply pre-litter /tmp with enough files such that a pid match is likely, and then the symlink attack is as easy as ever) scripts/update_crontab.sh (symlink attack against /tmp/crontab.temp and /tmp/crontab.new, lines 53, 74) It should be noted that run_backup.sh, the script that runs on a regular basis to actually do the backups, does take precautions to ensure that files in /tmp are used securely. All of these scripts get installed as part of the LiveVault installation process and many of them are used on a regular basis during the day to day maintenance of the LiveVault installation. Since all of these scripts run as root or an equally privileged user, the damage that these symlink attacks can cause can be catastrophic. Without rewriting all of these scripts to properly and securely deal with temporary files, an administrator of a LiveVault system is left to improvise in the hopes of finding ways around these piles of bugs.