[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: mktemp() and friends
From: "D. J. Bernstein" <djb () koobera ! math ! uic ! edu>
Date: 1996-12-24 22:52:49
[Download RAW message or body]
I have a very simple suggestion: eliminate world writability. No more
/var/spool/mail and no more /tmp.
Right now, system security is in the hands of thousands of programs.
That's silly. The only programs that should have to worry about security
are programs that handle untrusted data---i.e., communications programs.
> /tmp has the advantage that it may be cleaned up after a reboot.
What does ``reboot'' mean? Sounds like a Windows feature.
Under UNIX, people want to clean up temporary files in multiuser mode.
How would you suggest doing this?
Everyone knows that if root runs
find /tmp ... -print | xargs rm
then any user can delete any file on the system. Years ago I proposed
find -print0 and xargs -0, naively assuming that reliable => secure.
Unfortunately, if root runs
find /tmp ... -print0 | xargs -0 rm
any user can _still_ delete any file on the system. You might give up
on xargs and run
find /tmp ... -exec rm '{}' ';'
but that _still_ lets any user delete any file on the system.
With per-user tmp directories, the problem disappears: setuid to joe and
remove old files in ~joe/tmp.
> Finally, what if you're using an NFS-mounted ~
Each user should have a separate storage area on each host. Otherwise:
setenv TMPDIR ~/tmp/`hostname`; mkdir $TMPDIR
---Dan
Put an end to unauthorized mail relaying. http://pobox.com/~djb/qmail.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic