[18174] in bugtraq
Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Tue Dec 19 16:36:28 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <008c01c0696b$8da398e0$ca00030a@seifried.org>
Date: Mon, 18 Dec 2000 20:27:01 -0700
Reply-To: Kurt Seifried <listuser@seifried.org>
From: Kurt Seifried <listuser@seifried.org>
X-To: DeRobertis <derobert@EROLS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> I'm not sure how easy it'd be to implement (3), but how about:
>
> 1) /stmp/<<username>> as a temp directory for that user. rwx for
> the user only, of course.
advantage over $TMP? I suppose if for some _weird_ reason /home/username/ isn't accessible or something....
> 2) utilities should respect TEMP_DIR, which would be set in
> /etc/profile to /stmp/<<username>>
Many do, some distro's even do this by default, I think this is the best solution long term.
> 3) For migration purposes, a virtual filesystem that maps
> /tmp to /stmp/<<username>> After all utilities are migrated,
> one would get rid of this (and /tmp) forever.
Oh god. you aren't serious. That seems like a really good way to ensure people don't ever bother to fix the code (why should I, this
/stmp will remap, what do Ihave to worry about?).
> Seems to me we'd have a lot less /tmp exploits ;-)
If programmers used sane tmp file creation.... If I had a million dollars.... If Florida hadn't used punchcards, well you get the
idea =)
BTW for monitoring tmp this is useful:
http://www.l0pht.com/hotnews1999-1.html
http://www.L0pht.com/advisories/l0pht-watch.tar.gz
Kurt Seifried, seifried@securityportal.com
SecurityPortal - your focal point for security on the 'net
