[2734] in bugtraq
Re: Publically writable directories
daemon@ATHENA.MIT.EDU (Thomas Koenig)
Tue Jun 18 11:46:07 1996
Date: Tue, 18 Jun 1996 10:20:53 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Thomas Koenig <ig25@mvmampc66.ciw.uni-karlsruhe.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.LNX.3.91.960617222145.96B-100000@tcpip> from Brian Mitchell
at "Jun 17, 96 10:22:44 pm"
Brian Mitchell wrote:
>In that case, would you not be better off making the tmp dir in $HOME
>instead of /tmp? Assuming home dir permissions aren't totally insane,
>that should solve most of your problems.
I asked about this because of a discussion on the ssh mailing list
about where to put the .Xauthority file in case of a NFS-mounted
home directory.
Putting it into your home directory would be pointless, since the
key to your X session would still have to travel over the network
in clear.
Not all systems have open(...,O_CREAT|O_EXCL ) fail if the final
part of the path points to a symlink. Very good thing to implement,
though.
WRT the stat/fstat solutions: There is a problem in that an attacker
can force you to create an arbitrary empty file through a race
condition, and can delete the symlink before you can find out what
file you've created.
When an attacker does
$ ln -s /tmp/some.file /etc/nologin
and has root create /tmp/some.file, the problems are obvious. Question:
Can this also create security problems for a 'normal' user?
--
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.
