Bugtraq mailing list archives

Tired of /tmp? Here's a proposed solution

From: @ (Igor Chudov @ home)
Date: Mon, 26 Aug 1996 21:18:26 -0500


Are you tired of attacks based on files in /tmp?

Well, how about the following solution:

1. Introduce a convention that whenever a program wants a file name
for some temporary file, it should call a library function tmp_mknam

2. This function would accept the file prefix and be implemented in
the following way:

        a) check if directory $TMP exists and belongs to the effective uid
        b) if yes, return $TMP/<prefix><unique id> (maybe using tmpnam)
        c) if no, create a file under /tmp/<prefix><unique id> (maybe
           using tmpnam)

If program writers follow this convention and call tmp_mknam, users will
be able to insure their security from /tmp attacks by creating
directories with right permissions, for example under /tmp. For example,
I could protect myself by the following commands:

$ mkdir /tmp/ichudov
$ chmod 700 /tmp/ichudov
$ export TMP=/tmp/ichudov

This function can be made nit oa separate library of its own.

        - Igor.

Current thread:

Re: Vulnerability in the Xt library Warner Losh (Aug 25)
- Re: Vulnerability in the Xt library Casper Dik (Aug 26)
- r00t advisory -- Sunny Day Virus Gregory Hull (Aug 26)
- r00t advisroy -- sol2.5 at(1) vunerability Gregory Hull (Aug 26)
- r00t advisory -- workman vunerability Gregory Hull (Aug 26)
- r00t advisory -- sol2.5 su(1M) vunerability Gregory Hull (Aug 26)
- SGI Security Advisory 19960802-01 - Vulnerability in expreserve SGI Security Coordinator (Aug 26)
- Privileges (was libresolv+ bug) Paul McNabb (Aug 26)
- [BUG] Vulnerability in PINE Sean B. Hamor (Aug 26)
  - Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
    - Re: Tired of /tmp? Here's a proposed solution Guido M. Witmond (Aug 27)
    - Re: Tired of /tmp? Here's a proposed solution Thomas Koenig (Aug 28)
    - Re: Tired of /tmp? Here's a proposed solution Sean B. Hamor (Aug 28)
    - Re: Tired of /tmp? Here's a proposed solution mdr () vodka sse att com (Aug 28)
    - Rlogin vulnerabilty Gabriele Avosani (Aug 28)
    - Re: Tired of /tmp? Here's a proposed solution Matthew J Brown (Aug 28)
    - ftpbounce-0.1.tar.gz Rune Braathen (Aug 27)
  - Re: [BUG] Vulnerability in PINE Rage-303.tr (Aug 27)
    - Re: [BUG] Vulnerability in PINE Linux Mailing Lists (Aug 28)
    - Re: [BUG] Vulnerability in PINE Sean B. Hamor (Aug 28)

(Thread continues...)