|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: /tmp
From: Dan Stromberg (strombrg
NIS.ACS.UCI.EDU)Date: Thu Dec 21 2000 - 17:44:06 CST
- Next message: Microsoft Security Response Center: "Microsoft Security Bulletin and mailer formats"
- Previous message: Doug Wyatt: "Re: where user temp files should go, env var names"
- Next in thread: Michal Zalewski: "Re: /tmp"
- Next in thread: Dan Stromberg: "Re: /tmp"
- Reply: Michal Zalewski: "Re: /tmp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Two possibilities, which perhaps could be implemented as alternatives
on the same system:
1) Provide a library function, perhaps mkztemp(), which creates
/tmp/secz/username/templateXXXXXX. /tmp/secz is forced 1777 at boot
time. Pass back the filename and a file handle. Use of
/tmp/secz/username instead of /tmp/username helps reduce accidental
collisions, but does nothing to prevent intentional DOS. This one
should return the uid of the user owning the /tmp/secz/username file,
if there's a DOS.
2) Provide a library function, perhaps mkytemp(), which calls a setuid
root program that creates /tmp/secy/username/templateXXXXXX.
/tmp/secy is only writable by root, and mkdir'd at system boot time.
Pass back the filename and a file handle. The setuid program should
eliminate the DOS, but is slower (exec's hurt). You could just use
/sec or /stmp, but then temp scrubbers have to be modified slightly,
slowing migration.
I believe #2 would be the standard choice, while #1 would be reserved
for situations requiring a LOT of temp files in a short interval. Or
perhaps #1 should be published on the net, but not included in
libraries, so the path of least resistance is to use the more secure
#2, which would hopefully find its way into libraries.
The setuid program would of course need to be minimalist.
#1 is perhaps related to mkdtemp() on *bsd. Their man page doesn't
really appear to say what it does.
The effects of setuid programs need to be considered. Perhaps setuid
programs, both root and nonroot, would use the real username, not the
effective or saved. Sadly, I suppose this would mean setuid nonroot
programs would have to setuid(geteuid()) prior to mkytemp(), making it
an even less drop-in change.
Comments are desired. After the suggestion has been through the
shredder, I might implement them.
-- Dan Stromberg UCI/NACS/DCS
- application/pgp-signature attachment: stored
- Next message: Microsoft Security Response Center: "Microsoft Security Bulletin and mailer formats"
- Previous message: Doug Wyatt: "Re: where user temp files should go, env var names"
- Next in thread: Michal Zalewski: "Re: /tmp"
- Next in thread: Dan Stromberg: "Re: /tmp"
- Reply: Michal Zalewski: "Re: /tmp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]