[345] in linux-security and linux-alert archive
Re: selection summary
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Sat Sep 2 09:18:25 1995
From: okir@monad.swb.de (Olaf Kirch)
To: Thomas.Koenig@ciw.uni-karlsruhe.de (=?ISO-8859-1?Q?Thomas_K=F6nig?=)
Date: Fri, 1 Sep 1995 23:50:33 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199509011648.SAA12262@mvmampc66.ciw.uni-karlsruhe.de> from "=?ISO-8859-1?Q?Thomas_K=F6nig?=" at Sep 1, 95 06:48:05 pm
The problem with tempfiles as I see it is that you can't be sure
where the file is actually created unless you have made it. All
proposals I've seen so far do create the file, and abort if they
notice they have been spoofed. This may not always be enough.
There are programs for which even an empty file has significance.
One such beast is cron: if you have no allow file, but an empty
deny file, every user is given access. Admittedly, being able to run
cron jobs does not constitute a security breach by itself, and not
many people will have crond running without either an allow or deny
file... Off the top of my head, I can't think of a more serious
example, but it serves to show the problem. Another issue may be
denial of service attacks, where programs stop working when they
recognize a lock file.
Of course, removing the file after you notice you have been spoofed
is an option, provided you can be sure you just created it, and nobody
flips the symlink to /etc/passwd while you're doing this...
Olaf
PS: My comment about dip showing you arbitrary files is no longer true,
as Jeff Uphoff and Perry F Nguyen have pointed out. dip-337n fixes this
problem.
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
