[7278] in bugtraq
Re: Linux and world-writable /tmp - workaround
daemon@ATHENA.MIT.EDU (David Luyer)
Wed Jul 15 14:02:04 1998
Date: Tue, 14 Jul 1998 10:43:53 +0800
Reply-To: David Luyer <luyer@UCS.UWA.EDU.AU>
From: David Luyer <luyer@UCS.UWA.EDU.AU>
X-To: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 10 Jul 1998 10:26:07 +0200."
<Pine.LNX.3.96.980710102541.589A-101000@lcamtuf>
> Module tries to redirect requests to directory pointed by TMPDIR variable.
> If it isn't set, HOME + '/tmp' is used.
>
> NOTES:
>
> - Only requests to '/tmp', and only from unprivledged processes
> are redirected (and that's the goal). Root and suid programs
> are able to access /tmp directory as-is - there's no reason
> to redirect it, because directory is still root-writable.
So...root runs;
UPDBTMP=`run-update-db-find-as-nobody-return-output-filename`
do-stuff-with-returned-filename-UPDBTMP
or
TMP=careful-secure-make-tmp-file
su nobody -c "run-updatedb $TMP"
and this is broken, since root's request to /tmp is not mutilated but
nobody's request is mutilated, in fact to root's $HOME/tmp which is
not writable by 'nobody' in the first place if it even exists.
If temp directory is chosen by the environment, SUID (SUID someone other than
root) programs try to write somewhere they may not have access.
If temp directory is chosen by current user id values, temp files cannot
be passed easily by filename between routines running under different
user id's.
If a special case is made for root, you get the second problem with the
environment variable problem too.
The fix for /tmp is not to remap it but to remove it. Fix the programs.
Set a TMPDIR in login scripts and/or use a default of not $HOME/tmp but
$HOME when it is not set as this is then an error condition.
David.
