Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10

avaloncoombs.anu.edu.au

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Don Lewis: "Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines"
• Previous message: Mark Graff: "Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines"
• In reply to: Dave Roberts: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10"

In some mail from Dave Roberts, sie said:
>
> On Fri, 25 Aug 1995, Darren Reed wrote:
>
> > People designing setuid-root programs or programs in general which perform
> > priviledged operations and need temporary files should consider using a
> > non-public access directory as the temp. file location.
>
> What about using the tempnam() call?  Maybe it's not available on all
> platforms although it is on AIX, SCO and HP-UX, so I'd have thought it
> would be.
>
> Do you feel that the randomness of the filenames this returns is not
> random enough?  Or is it that the very nature of a file that the world can
> get at is the security threat, no matter what permissions are in
> existence.  I'd have thought that having /tmp mode 1777, using tempnam()
> to get the file name, and creating this file in mode 0600 would be
> sufficient.

I believe that SunOS5's ps(1) used something like tempnam() - the bug
wasn't that, but the exploit code was written.  When you can do a search
in a finite space and find the result, what security does tempnam() give
you ?

• Next message: Don Lewis: "Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines"
• Previous message: Mark Graff: "Re: Patch for 8lgm syslog/sendmail vulnerability, 4.4lite machines"
• In reply to: Dave Roberts: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10"