[900] in linux-security and linux-alert archive
Re: [linux-security] Re: You wouldn't believe it...
daemon@ATHENA.MIT.EDU (velcro@pobox.com)
Fri Jul 12 11:37:54 1996
To: jhenders@bogon.com
Date: Wed, 10 Jul 1996 21:36:22 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <E0ue6CB-00013a-00@stdismas.bogon.com> from "John Henders" at Jul 10, 96 01:49:15 pm
From: velcro@pobox.com
Reply-To: velcro@pobox.com
jhenders@bogon.com:
> Jon Lewis writes:
>
> > [tmp]
> > comment = Temporary file space
> > path = /tmp
> > read only = no
> > public = yes
> >
> > On a small box such as this one, where the root fs is _the_ fs, a world
> > writable (no account needed) exported directory could be a very bad thing.
>
> Only if there's a bug in samba that allows you to get out of the
> directory that is exported, as there was with the NT implementation.
Exporting /tmp rw is always scary, especially when you don't have root
squash or somesuch enabled.
> The problem is even worse when installing a whole distribution, as in my
> experience, no one sticks around to watch the messages printed on a
> large install. Perhaps if the installers had info sheets for each
> package, on a bulk install they could save them all to disk and then
> mail the whole thing to root after installation.
Fantastic idea. Pretty please, redhat.com?
--
Dan D'Ambrosio
velcro@pobox.com