[18148] in bugtraq
Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary
daemon@ATHENA.MIT.EDU (DeRobertis)
Mon Dec 18 22:06:37 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
No-Disposition-Notification-To: derobert@erols.com
Message-Id: <l03130300b66236dab7b2@[216.164.129.102]>
Date: Sun, 17 Dec 2000 04:30:28 -0500
Reply-To: DeRobertis <derobert@EROLS.COM>
From: DeRobertis <derobert@EROLS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001214225127.625.qmail@geex.bushwire.net>
At 10:51 PM +0000 on 12/14/00, Mark Delany wrote:
>As you say, /tmp is pretty entrenched in a lot of code and it does
>have some convenience and resource management benefits. A restricted
>file system is probably the only realistic solution as that protects
>all those future programmers who make the same mistake (and all us
>lazy shell hackers).
I'm not sure how easy it'd be to implement (3), but how about:
1) /stmp/<<username>> as a temp directory for that user. rwx for
the user only, of course.
2) utilities should respect TEMP_DIR, which would be set in
/etc/profile to /stmp/<<username>>
3) For migration purposes, a virtual filesystem that maps
/tmp to /stmp/<<username>> After all utilities are migrated,
one would get rid of this (and /tmp) forever.
Seems to me we'd have a lot less /tmp exploits ;-)
