Bugtraq mailing list archives
Re: /tmp
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Fri, 22 Dec 2000 11:26:13 +0100
On Thu, 21 Dec 2000, Dan Stromberg wrote:
2) Provide a library function, perhaps mkytemp(), which calls a setuid root program that creates /tmp/secy/username/templateXXXXXX. /tmp/secy is only writable by root, and mkdir'd at system boot time. Pass back the filename and a file handle. The setuid program should eliminate the DOS, but is slower (exec's hurt). You could just use /sec or /stmp, but then temp scrubbers have to be modified slightly, slowing migration.
Please tell me why are you considering /tmp as the only one solution? Moving runtime temporary files that do not *have* to be shared from /tmp to eg. ~/tmp is pretty good solution, as well. Unfortunately, this won't solve numerous problems of programs that are not following mk*temp() convention, creating eg. pid-based temporary files ;) On the other hand, most of context pseudo-filesystem / redirection solutions (like making real location of /tmp entries for every UID different) might broke eg. X server / clients functionality etc. The truth is obvious: /tmp isn't anything good, and there are no easy workarounds for programs using it. We should modify these programs, instead, moving ALL unnecessary /tmp files (which are not used for interprocess communication, like Xserver sockets) to ~/tmp or so. You cannot feel safe without it, no matter how complicated system will be used to guard /tmp. It is not really difficult to grep all system sources against /tmp, mkstemp, mktemp, tmpnam, tempnam, tmpfile and similar stuff... -- _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=