Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache

[fc () all net (Dr. Frederick B. Cohen)]

        I started this thing and went out of town only to find tens of
messages about it when I got back.  I thought it was a simple matter.

        If the user owns the file, put it in their home directory, mode
600 - but of course you are running insecure by making all of the files
readable that have to be readable for lsof to work properly.  So the
predominant mode should be the mode where root owns the file.  If you
have to have the cache, if it has to be owned by root, don't put it in
/tmp - try /etc/private or some such area created for the purpose.
Protect the file 600 for root access only, then the setUID program can
run it.

        All of this foolishness about checksums and file dates, etc. is
useless if the attacker has a copy of lsof to make the forgery with.  Since
it's publicly available, we assume the attacker has it and have to use
something like access controls to protect it.

--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236