[11290] in bugtraq
Re: user flags in public temp space (was Re: chflags() [heads up])
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Aug 6 18:04:17 1999
Content-Type: text
Message-Id: <199908060417.OAA24850@cheops.anu.edu.au>
Date: Fri, 6 Aug 1999 14:17:22 +1000
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: deraadt@CVS.OPENBSD.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908050756.BAA10138@cvs.openbsd.org> from "Theo de Raadt" at
Aug 5, 99 01:56:47 am
In some mail from Theo de Raadt, sie said:
[...]
> > a) Root should not use /tmp. Root is root and, as the proverbial
> > 800-pound gorilla, can make temporary files wherever it pleases.
> > FreeBSD, for example, seems to be doing a lot in /var/run, which is
> > root-owned, and not world-writable. At least root should use
> > subdirectories of /tmp and test to see if it can mkdir(1) them before use
> > (see OpenBSD2.5's /etc/security, for example).
>
> As much as possible, we've now killed almost all of the /tmp races in
> the system, so root is as safe as any other user. Even gcc now plays
> things safe, it appears. But /tmp problems keep occuring in packages
> which people add to the system.
If you're designing a software package, want to use temporary files and
directories but you need the names to be the same every time, where do
you put them ? Are you required to use open(O_CREAT|O_EXCL) for files
in /tmp ? Apart from the ability to exchange files between users with
/tmp, having private /tmp's for each uid using the system (with a non-
world writeable /tmp) has a lot of merit which I hope someone will someday
properly explore - i.e. there exist programming languages in which the
buffer overflow is a non-event, now we need an operating system design
where the /tmp file race-condition is a non-event.
Darren
