Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10

djrhaddock.saa-cons.co.uk

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Perry E. Metzger: "Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines"
• Previous message: Paul Traina: "Re: Jeffrey Mogul: Re: screend IP firewall bug"
• In reply to: Darren Reed: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10"
• Next in thread: Vic Abell: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10"

On Fri, 25 Aug 1995, Darren Reed wrote:

> People designing setuid-root programs or programs in general which perform
> priviledged operations and need temporary files should consider using a
> non-public access directory as the temp. file location.

What about using the tempnam() call?  Maybe it's not available on all
platforms although it is on AIX, SCO and HP-UX, so I'd have thought it
would be.

Do you feel that the randomness of the filenames this returns is not
random enough?  Or is it that the very nature of a file that the world can
get at is the security threat, no matter what permissions are in
existence.  I'd have thought that having /tmp mode 1777, using tempnam()
to get the file name, and creating this file in mode 0600 would be
sufficient.


Dave Roberts                 | "Just paddling out into big surf is a total
Unix Systems Administrator   | commitment" * "You can't just call time-out and
SAA Consultants Ltd          | stroll on back to the beach if you don't like
Plymouth, UK  <EDI Services> | the way things are going" - Point Break

• Next message: Perry E. Metzger: "Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines"
• Previous message: Paul Traina: "Re: Jeffrey Mogul: Re: screend IP firewall bug"
• In reply to: Darren Reed: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10"
• Next in thread: Vic Abell: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10"