Bugtraq mailing list archives
Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10
From: avalon () coombs anu edu au (Darren Reed)
Date: Wed, 30 Aug 1995 23:02:06 +1000
In some mail from Dave Roberts, sie said:
On Fri, 25 Aug 1995, Darren Reed wrote:People designing setuid-root programs or programs in general which perform priviledged operations and need temporary files should consider using a non-public access directory as the temp. file location.What about using the tempnam() call? Maybe it's not available on all platforms although it is on AIX, SCO and HP-UX, so I'd have thought it would be. Do you feel that the randomness of the filenames this returns is not random enough? Or is it that the very nature of a file that the world can get at is the security threat, no matter what permissions are in existence. I'd have thought that having /tmp mode 1777, using tempnam() to get the file name, and creating this file in mode 0600 would be sufficient.
I believe that SunOS5's ps(1) used something like tempnam() - the bug wasn't that, but the exploit code was written. When you can do a search in a finite space and find the result, what security does tempnam() give you ?
Current thread:
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Darren Reed (Aug 30)
- <Possible follow-ups>
- Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 Greg Woods (Aug 30)