Bugtraq mailing list archives
Re: GCC 2.7.? /tmp files
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 18 Jan 1998 16:14:28 -0700
This is a _simple_ one to 'fix'. My personal belief is that if anyone is at all concerned about /tmp explots, they will create a 'tmp' directory within their home directory and then set the TMPDIR environment variable to reference it. Most of the programs in use today will honor it; and if you are worried about the general user on your system, add to the system profile to set their TMPDIR (and I guess you could check for the existance of it and create it if necessary). There are just too many issues to deal with in the /tmp exploits; and this method removes them _ALL_. (Oh, just don't have your home dir executable and your tmp dir world writable at least. :)
Well, it sure as heck does not solve the problem for those programs that use mktemp() or some similar function on a string liek "/tmp/fooXXXXXX". It also does not fix the problem for daemons or setuid tools, which sure as heck should not be honouring TMPDIR at all. These are simply source code bugs, and they should be fixed. In OpenBSD we have fixed hundreds of these /tmp races. I do not believe there is a simple answer. And if someone does invent a magic solution later on that helps, it won't matter because by then we should hopefully have finished fixing the last of these programs. A person who codes a /tmp race into their code today is no different from a person who codes in a buffer overflow or who uses gets(). TMPDIR does not exist primarily for use as a workaround to a serious and very common problem. (No problem should be "solved" by requiring each user to set an environment variable).
Current thread:
- Re: GCC 2.7.? /tmp files Michael Douglass (Jan 15)
- MC shell scripts Micha? Zalewski (Jan 17)
- Re: GCC 2.7.? /tmp files Theo de Raadt (Jan 18)
- Re: GCC 2.7.? /tmp files Perry E. Metzger (Jan 18)
- Solaris ftpd D.O.S. Stanley Stasiak (Jan 19)
- Buffer overflow in Yapp Conferencing System... satan (Jan 20)
- Re: Solaris ftpd D.O.S. Aggelos P. Varvitsiotis (Jan 20)
- Re: Solaris ftpd D.O.S. Casper Dik (Jan 20)
- SNI-23: SSH - Vulnerability in ssh-agent Secure Networks Inc. (Jan 20)
- How to recover private keys for various Microsoft products Aleph One (Jan 20)
- HP-UX CUE, CUD and LAND vulnerabilities Aleph One (Jan 21)
- Re: Xserver stack smashed -- wrapper John Goerzen (Jan 21)
- Re: Xserver stack smashed -- wrapper Pavel Kankovsky (Jan 21)