CVE-2001-0946

A local attacker first creates a symbolic link from `/tmp/LOW_POWER` to an arbitrary target file (e.g., `/etc/nologin`). When the system enters an APM low-battery state—which occurs on laptops or special machines—the `apmscript` runs as root and executes `touch /tmp/LOW_POWER`. Because the symlink is followed, the `touch` command modifies the access/modification timestamp of the target file, or creates it if it does not exist. This allows the attacker to create or change the modification date of arbitrary files on the system [ref_id=1].

The vulnerable script is `/etc/sysconfig/apm-scripts/apmscript` in the `apmd-3.0final-34` package on Red Hat 7.2 "Enigma". The script executes `touch /tmp/LOW_POWER` when the APM system signals a low-battery state and the `$LOWPOWER_SERVICES` variable is non-empty (defaulting to "atd crond") [ref_id=1].

The advisory does not include a published patch. The recommended remediation is for the vendor to modify the `apmscript` to use a safe temporary file creation method—such as using `mktemp` or writing to a directory owned by a dedicated user—rather than a hard-coded predictable path in `/tmp/`. This would prevent the symlink-following attack by ensuring the temporary file is created securely [ref_id=1].

1. As a local user, create a symlink: `ln -s /etc/nologin /tmp/LOW_POWER`. 2. Provoke a low-battery state on the laptop (e.g., disconnect the powerline and wait). 3. When the APM system signals the low-battery condition, `apmscript` runs as root and executes `touch /tmp/LOW_POWER`, which follows the symlink and creates `/etc/nologin`. 4. Subsequent SSH login attempts by other users fail because `/etc/nologin` exists, causing a denial of service [ref_id=1].