Bugtraq mailing list archives
Re: [hacksware]Pine temporary file hijacking vulnerability
From: "Christopher X. Candreva" <chris () WESTNET COM>
Date: Tue, 12 Dec 2000 19:32:38 -0500
On Mon, 11 Dec 2000, Peter W wrote:
It would be nice if there was an easy, portable way to ensure safe temp file operations (mkstemp()?) but in the meantime, don't panic. Set safe values for TMP and TMPDIR and Pine behaves well.
I've just tried this under Solaris 8, pine 4.30, and with both $TMP and $TMPDIR set, Pine is still writing to /tmp There is another, more global, solution. the AMD automouter from cs.columbia.edu (now distributed as am-utils) has included a program called hlfsd (Home Link File System Daemon) for a number of years. It was designed as a simple way to have users e-mail delivered to their home directories instead of to /var/spool/mail . It uses the automounter, watches the directory it's told to, and redirects requests to that directory from a user to a dir in their home directory. Users think their mail is in /var/spool/mail/username, but it's really in /home/path/username/.hlfsdir/username I think that program stock, with different options, should be able to do the same thing to /tmp very easily. Every program will now write safely to /tmp, who cares how it's written. The home page for am-utils is http://www.cs.columbia.edu/~ezk/am-utils/ This is pure theory, but I may try this out on a test system tomorrow. -Chris ========================================================== Chris Candreva -- chris () westnet com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Current thread:
- Re: where user temp files should go, env var names, (continued)
- Re: where user temp files should go, env var names Andrzej Chabierski (Dec 16)
- Re: where user temp files should go, env var names Valdis Kletnieks (Dec 18)
- Re: where user temp files should go, env var names Aaron Drew (Dec 18)
- Re: where user temp files should go, env var names Mike A. Harris (Dec 19)
- Re: where user temp files should go, env var names Nick Phillips (Dec 21)
- Re: where user temp files should go, env var names Peter J . Holzer (Dec 21)
- Re: where user temp files should go, env var names Doug Wyatt (Dec 21)
- Message not available
- Re: where user temp files should go, env var names Jay R. Ashworth (Dec 21)
- Re: [hacksware]Pine temporary file hijacking vulnerability Christopher X. Candreva (Dec 14)