[20368] in bugtraq
Re: Linux patches to solve /tmp race problem
daemon@ATHENA.MIT.EDU (Christoph Hellwig)
Sun Apr 22 14:18:02 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010422151202.A7880@caldera.de>
Date: Sun, 22 Apr 2001 15:12:03 +0200
Reply-To: Christoph Hellwig <hch@CALDERA.DE>
From: Christoph Hellwig <hch@CALDERA.DE>
X-To: "Donaldson, Matthew" <matthew@DATADELIVERANCE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <15072.12895.627024.191687@localhost.localdomain>
Hi Matthew,
In article <15072.12895.627024.191687@localhost.localdomain> you wrote:
> I have recently developed some patches to the Linux 2.2 kernels which solve
> the /tmp race problem without needing to define environment variables -
> useful particularly for naive applications and scripts which dont use
> TMPDIR and friends.
>
> The patch creates "dynamic" symlinks, which point to different paths
> depending on the user accessing them (for example, including the UID in the
> path name). Such a link can be placed instead of /tmp and/or /var/tmp, and
> any other similar directories. More usefully, these links can be configured
> to automatically create the directory they refer to if it does not exist.
>
> This means you can create a directory such as /tmp_files, for example, and
> have the /tmp link automatically create user directories in it on demand.
> Default permissions and ownership can be specified.
I think your proposal is a really kludgy hack. While the idea of
user-specific namespaces in gerneral is a very good idea, your patch is far
to ungeneric.
An sane implementation of the same concept can easily be done using Al Viro's
namespace patches for Linux 2.4 (Latest version is namespaces-b-S3-pre8.gz in
ftp.math.psu.edu:/pub/viro) - this patch allows an additional parameter
(CLONE_NEWNS) to be passed to clone(2), Linux's syscall for the creation of
rfork-style variable-weight processes which will setup an completly different
mount table (copied from the parent).
In this particular case the login process would create the users login
shell's process using CLONE_NEWS and use the Linux 2.4+ of namespace
bindings to create a private temp directory. The following code sequence
(untested and simplified) should give a hint how to implement the private
tmpdir binding after the clone(..., CLONE_NEWNS):
>> pw = getpwent();
>> if (pw) {
>> strlcpy(tmpdir, pw->pw_dir, MAXTMPDIR);
>> strlcat(tmpdir, "/tmp", MAXTMPDIR);
>> createifdoesnotexist(tmpdir);
>> mount(tmpdir, "/tmp", "dontcare", MS_BIND, NULL);
>> }
Besides the general conceptual flaws your patch also has some implementation
problems. First your tmpdir-creation is implemented in the filesystem
specific kernel code and not in the VFS. What does your patch with /tmp
on nfs or reiserfs? - nothing. Secondly you are checking against an
effective userid of zero in your code - as Linux 2.2 uses an Posix 1003.1e
(draft, whitedrawn) capability model and the old Unix model of comparing
against the zero user id is considered legacy this is a very bad idea.
An better implementation of context-sensitive directories is Malcolm Beattie
mlsfs. It's implemented as it's own filesystem so it is completly
independand of the undelying phsical filesystem. It's home on the web is at
http://users.ox.ac.uk/~mbeattie/linux-kernel.html.
Christoph
--
Of course it doesn't work. We've performed a software upgrade.
