Bugtraq mailing list archives
Re: Why you should avoid world-writable directories
From: kragen () POBOX COM (Kragen Sitaker)
Date: Tue, 22 Dec 1998 16:50:19 -0500
On Tue, 22 Dec 1998, Gonzo Granzeau wrote:
As noted from previous sendmail issues, two of the stated problems can be solved by doing a correct disk structure. You cannot create hard links across across different partitions. That way, if you have a /, /usr, /tmp, and a /home, you should be okay if it drops it in tmp. You'd basically have to give their program it's own file system. This still doesn't change the fact that it is flawed, but if you are forced to use it...
As djb's recent email to bugtraq points out, this does not solve the mail destruction problem; you can make a subdirectory in the spool directory and put your hardlink in there. That subdirectory is guaranteed to be on the same partition as the spool directory. It *does* solve the mail-yourself-a-private-file problem, but I haven't looked at the VMailer spool-file format enough to figure out whether there's really a security problem (as djb claims) or not (as Wietse claims). -- <kragen () pobox com> Kragen Sitaker <http://www.pobox.com/~kragen/> TurboLinux is outselling NT in Japan's retail software market 10 to 1, so I hear. -- http://www.performancecomputing.com/opinions/unixriot/981218.shtml
Current thread:
- Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated), (continued)
- Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) Anonymous (Dec 23)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 24)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Dima Volodin (Dec 25)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Lamont Granquist (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Igor Schein (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 28)
- A few more fingerprinting techniques - time and netmask David G. Andersen (Dec 28)
- Microsoft Security Bulletin (MS98-020) aleph1 () UNDERGROUND ORG (Dec 23)
- Security Flaw in Cookies Implementation Oliver Lineham (Dec 23)
- Re: Why you should avoid world-writable directories Gonzo Granzeau (Dec 22)
- Re: Why you should avoid world-writable directories Kragen Sitaker (Dec 22)