The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

/tmp usage and security

To: security@debian.org
Subject: /tmp usage and security
From: mennucci@cibs.sns.it (Andrea Mennucci)
Date: Thu, 9 Oct 1997 12:16:33 +0100 (DFT)
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 9 Oct 1997 10:14:32 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"5lZTmD.A.2MG.I6KP0"@debian>
Resent-sender: debian-private-request@lists.debian.org


Hello to you all people at Debian and thanks for your work!

I have a proposal.

I have been reading lately that 
many problems come from this pattern:
 a program (eg sort) uses (creates, deletes, overwrites)
  temporary files in /tmp/,
 root uses this program (maybe indirectly, when the updatedb command
  is executed by cron)
 a malicious user may create many links in /tmp so that 
 the program overwrites/creates/deletes important files in the system
 
A similair problem is present (and known) in most scripts that install
programs in Debian.

I think that there is no easy patch to these situations;
here are a few proposals for developers

1) Before a program creates a files in /tmp, 
   it checks if there is already one with the same name, and unlinks it
   or it change the chosen name for the file
2) All temporary files that are created should be of the form
   name.$$.$rand
   where $$ is the pid number and $rand is a random string of 8 characters;

BTW
a function in libc6 may be added, like this:
 char *good_temp_filename(char *name)
this function, given a name, builds a good filename for a file in /tmp/
 using name as a prefix
A command in /usr/bin may be created to perform the same trick for shell
scripts.

3) at boot time, right after the
 rm -rf /tmp/
a scripts creates all directories like 
 /tmp/.users/USER 
where  USER are all the usernames in /etc/passwd,
with ownership to USER and mode 
 chmod og-rwx

good_temp_filename() check if /tmp/.users/USER exist;
otherwise it tries to give a name that is not used.
Programs that use this function would be safer.

I understand that doing this may be problematic; it involves 
asking all developers/mantainers to review their code;
but I see no easy solution to this problem.

thanks


A.Mennucci

ps: I know that it is much easier to give proposal than
 to actually work on them. Sorry for the fuss. :-)
 
ps2: feel free to forward this to any address


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Follow-Ups:
- Re: /tmp usage and security
  - From: Magossa'nyi A'rpa'd <mag@bunuel.tii.matav.hu>
- Re: /tmp usage and security
  - From: "Marco d'Itri" <md@linux.it>

Prev by Date: Re: Samba Fix?
Next by Date: Re: /tmp usage and security
Previous by thread: CERT Bulletin on Samba
Next by thread: Re: /tmp usage and security
Index(es):
- Date
- Thread