Re: mktemp() and friends

[djb () koobera math uic edu (D. J. Bernstein)]

I have a very simple suggestion: eliminate world writability. No more
/var/spool/mail and no more /tmp.

Right now, system security is in the hands of thousands of programs.
That's silly. The only programs that should have to worry about security
are programs that handle untrusted data---i.e., communications programs.

> /tmp has the advantage that it may be cleaned up after a reboot.

What does ``reboot'' mean? Sounds like a Windows feature.

Under UNIX, people want to clean up temporary files in multiuser mode.
How would you suggest doing this?

Everyone knows that if root runs

   find /tmp ... -print | xargs rm

then any user can delete any file on the system. Years ago I proposed
find -print0 and xargs -0, naively assuming that reliable => secure.
Unfortunately, if root runs

   find /tmp ... -print0 | xargs -0 rm

any user can _still_ delete any file on the system. You might give up
on xargs and run

   find /tmp ... -exec rm '{}' ';'

but that _still_ lets any user delete any file on the system.

With per-user tmp directories, the problem disappears: setuid to joe and
remove old files in ~joe/tmp.

> Finally, what if you're using an NFS-mounted ~

Each user should have a separate storage area on each host. Otherwise:

   setenv TMPDIR ~/tmp/`hostname`; mkdir $TMPDIR

---Dan
Put an end to unauthorized mail relaying. http://pobox.com/~djb/qmail.html