[18124] in bugtraq
Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary
daemon@ATHENA.MIT.EDU (0d0)
Mon Dec 18 16:53:37 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012151546070.17025-100000@mail.tarp3.com>
Date: Fri, 15 Dec 2000 16:08:59 -0800
Reply-To: 0d0 <odo@MAIL.TARP3.COM>
From: 0d0 <odo@MAIL.TARP3.COM>
X-To: Mark Delany <MarkD@BUSHWIRE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001214225127.625.qmail@geex.bushwire.net>
On Thu, 14 Dec 2000, Mark Delany wrote:
[snip]
> Programmers who write general purpose shells and editors and
> sorts shouldn't have to worry about security issues.
Is this not the sort of justification we constantly see from vendors?
Anyone who writes software for use on shareable systems, especially when
their code may be sold (or GPLd or shared or plain given away) should be
concerned about security issues.
I'm sure that more than a few hundred lurkers on this list would agree
that if a chance exists for an elevation of privileges on a system it will
be found and taken advantage of and hopefully show up on Bugtraq so others
can fix it...
Insecure programming habits are no excuse.
> I'm sure many people have been "guilty" of writing a quick and nasty
> shell script that ends in something like: >/tmp/out.$$
>
but why not: >./out.$$ or $MYTMP/out.$$
why not add a few lines in the ./configure scripts that will allow for the
creation of a $HOME/tmp (if not found) with proper attributes set when the
software is installed?
Anyway, quick and nasty shell scripts are different than editors and
shells. No one can predict where an admin is going to put some temprorary
output (well maybe if they are well profiled) so the risk there is minimal
at best.
Just my $0.02
Regards,
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Anthony R. Plastino III
President, Tarp3 Enterprises, Inc.
PO Box 7966, Tacoma WA, 98407
Voice: 253.227.5877
Fax: 253.383.7172
Email: tony.plastino@tarp3.com
http://www.tarp3.com/
