[17576] in bugtraq
Re: StarOffice 5.2 Temporary Dir Vulnerability
daemon@ATHENA.MIT.EDU (Peter W)
Thu Nov 9 03:23:08 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3A09EACD.D19122A@JunkMailForbidden.usa.net>
Date: Wed, 8 Nov 2000 19:07:41 -0500
Reply-To: Peter W <peterw@USA.NET>
From: Peter W <peterw@USA.NET>
X-To: Christian <christian@dijkstra.murdoch.edu.au>
To: BUGTRAQ@SECURITYFOCUS.COM
Christian wrote:
> A while back I noticed that StarOffice 5.2 (running under Linux and
> Solaris) creates a temporary directory under /tmp with the name
> "soffice.tmp" with permissions 0777.
Ah, our old friend /tmp. WordPerfect and VMWare had similar problems...
> My suggested workaround is to create a symbolic link from
> /tmp/soffice.tmp to a directory inside the your home directory which
> is inaccessible to anyone but yourself. Doing this before running
> StarOffice would seem to protect against the vulnerability and this
> could be written into a simple shell script wrapper.
>
...and similar solutions. A better workaround is to set the environment
variable TMP to a safe alternative before running StarOffice. If you do
this, StarOffice will create the mode 0777 dir inside $TMP. I don't know if
this is documented, but it works (tested with StarOffice 5.2 for Linux),
and that's what matters. ;-)
Below is a shell script Red Hat Linux users can put in /etc/profile.d (be
sure to make it at least 0555, and use a .sh extension) to take care of
this, and similar, temp dir issues for users of sh/Bash shells, starting
the next time each user logs in. Others, source this from your .profile or
whatever, so your temp dir vars are properly set when you log in.
Or put it in a wrapper script, but I think history has shown that it's a
good idea to set these variables so that other applications might behave
more safely, too. Search the Bugtraq archive for TMPDIR for more cases.
IIRC, some (many? most?) other Linux distros support /etc/profile.d scripts
for sh/Bash, but YMMV.
Note that while WordPerfect 8 and VMWare respect $TMPDIR, StarOffice uses
$TMP. So my script now sets both variables, Just In Case.
Christian, thanks for the catch.
-Peter
other stuff at http://www.tux.org/~peterw/
#
# bastille-tmpdir.sh
#
# This script sets TMP/TMPDIR environment variables for some added
# safety on multi-user systems. Many applications write temporary
# files in unsafe ways to /tmp unless TMP and/or TMPDIR are set.
#
if [ -z "${TMPDIR}" ]; then
# TMPDIR is not set
TMPDIR="${HOME}/tmp"
if [ "${TMPDIR}" = /tmp ]; then
# This user's home dir is "/"? SysV-root?
TMPDIR=/tmp-root
fi
if [ ! -d "${TMPDIR}" ]; then
# We need to create the directory, with sane permisssions
mkdir -m 0700 "${TMPDIR}" 2>/dev/null && export TMPDIR \
TMP="${TMPDIR}" export TMP \
|| echo "Warning: unable to create safe TMPDIR"
else
TMP="${TMPDIR}"
export TMP
export TMPDIR
fi
fi
