Bugtraq mailing list archives
Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)
From: Kurt Seifried <listuser () seifried org>
Date: Mon, 18 Dec 2000 20:27:01 -0700
I'm not sure how easy it'd be to implement (3), but how about: 1) /stmp/<<username>> as a temp directory for that user. rwx for the user only, of course.
advantage over $TMP? I suppose if for some _weird_ reason /home/username/ isn't accessible or something....
2) utilities should respect TEMP_DIR, which would be set in /etc/profile to /stmp/<<username>>
Many do, some distro's even do this by default, I think this is the best solution long term.
3) For migration purposes, a virtual filesystem that maps /tmp to /stmp/<<username>> After all utilities are migrated, one would get rid of this (and /tmp) forever.
Oh god. you aren't serious. That seems like a really good way to ensure people don't ever bother to fix the code (why should I, this /stmp will remap, what do Ihave to worry about?).
Seems to me we'd have a lot less /tmp exploits ;-)
If programmers used sane tmp file creation.... If I had a million dollars.... If Florida hadn't used punchcards, well you get the idea =) BTW for monitoring tmp this is useful: http://www.l0pht.com/hotnews1999-1.html http://www.L0pht.com/advisories/l0pht-watch.tar.gz Kurt Seifried, seifried () securityportal com SecurityPortal - your focal point for security on the 'net
Current thread:
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability), (continued)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mark Delany (Dec 16)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) 0d0 (Dec 18)
- Re: Is /tmp still appropriate? Hanspeter Schmid (Dec 20)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Michael Damm (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) stanislav shalunov (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Ryan Russell (Dec 18)
- Message not available
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) 0d0 (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Christian (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) DeRobertis (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mike A. Harris (Dec 19)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Kurt Seifried (Dec 19)
- Re: Is /tmp still appropriate? Peter W (Dec 19)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mark Delany (Dec 16)