Bugtraq mailing list archives
Re: StarOffice 5.2 Temporary Dir Vulnerability
From: Peter W <peterw () USA NET>
Date: Wed, 8 Nov 2000 19:07:41 -0500
Christian wrote:
A while back I noticed that StarOffice 5.2 (running under Linux and Solaris) creates a temporary directory under /tmp with the name "soffice.tmp" with permissions 0777.
Ah, our old friend /tmp. WordPerfect and VMWare had similar problems...
My suggested workaround is to create a symbolic link from /tmp/soffice.tmp to a directory inside the your home directory which is inaccessible to anyone but yourself. Doing this before running StarOffice would seem to protect against the vulnerability and this could be written into a simple shell script wrapper.
...and similar solutions. A better workaround is to set the environment variable TMP to a safe alternative before running StarOffice. If you do this, StarOffice will create the mode 0777 dir inside $TMP. I don't know if this is documented, but it works (tested with StarOffice 5.2 for Linux), and that's what matters. ;-) Below is a shell script Red Hat Linux users can put in /etc/profile.d (be sure to make it at least 0555, and use a .sh extension) to take care of this, and similar, temp dir issues for users of sh/Bash shells, starting the next time each user logs in. Others, source this from your .profile or whatever, so your temp dir vars are properly set when you log in. Or put it in a wrapper script, but I think history has shown that it's a good idea to set these variables so that other applications might behave more safely, too. Search the Bugtraq archive for TMPDIR for more cases. IIRC, some (many? most?) other Linux distros support /etc/profile.d scripts for sh/Bash, but YMMV. Note that while WordPerfect 8 and VMWare respect $TMPDIR, StarOffice uses $TMP. So my script now sets both variables, Just In Case. Christian, thanks for the catch. -Peter other stuff at http://www.tux.org/~peterw/ # # bastille-tmpdir.sh # # This script sets TMP/TMPDIR environment variables for some added # safety on multi-user systems. Many applications write temporary # files in unsafe ways to /tmp unless TMP and/or TMPDIR are set. # if [ -z "${TMPDIR}" ]; then # TMPDIR is not set TMPDIR="${HOME}/tmp" if [ "${TMPDIR}" = /tmp ]; then # This user's home dir is "/"? SysV-root? TMPDIR=/tmp-root fi if [ ! -d "${TMPDIR}" ]; then # We need to create the directory, with sane permisssions mkdir -m 0700 "${TMPDIR}" 2>/dev/null && export TMPDIR \ TMP="${TMPDIR}" export TMP \ || echo "Warning: unable to create safe TMPDIR" else TMP="${TMPDIR}" export TMP export TMPDIR fi fi
Current thread:
- Re: StarOffice 5.2 Temporary Dir Vulnerability Kurt Seifried (Nov 09)
- Re: StarOffice 5.2 Temporary Dir Vulnerability Chmouel Boudjnah (Nov 10)
- <Possible follow-ups>
- Re: StarOffice 5.2 Temporary Dir Vulnerability Peter W (Nov 09)
- Re: StarOffice 5.2 Temporary Dir Vulnerability Igor Falcomata' (Nov 10)