Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)

[DeRobertis <derobert () EROLS COM>]

At 10:51 PM +0000 on 12/14/00, Mark Delany wrote:
> As you say, /tmp is pretty entrenched in a lot of code and it does
> have some convenience and resource management benefits. A restricted
> file system is probably the only realistic solution as that protects
> all those future programmers who make the same mistake (and all us
> lazy shell hackers).

I'm not sure how easy it'd be to implement (3), but how about:

        1) /stmp/<<username>> as a temp directory for that user. rwx for
           the user only, of course.

        2) utilities should respect TEMP_DIR, which would be set in
           /etc/profile to /stmp/<<username>>

        3) For migration purposes, a virtual filesystem that maps
           /tmp to /stmp/<<username>> After all utilities are migrated,
           one would get rid of this (and /tmp) forever.

Seems to me we'd have a lot less /tmp exploits ;-)