Re: Linux and world-writable /tmp - UPDATE (fwd)

[lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)]

On Thu, 16 Jul 1998, Olaf Kirch wrote:

> There are some things I do not understand about this patch.
>
>  1.   The code does not redirect /tmp access of processes running
>       with a real, effective, or fs uid of root.
>
>       So it doesn't buy you anything when it comes to /tmp attacks
>       on setuid root programs.

No. You have to make /tmp chmod 755, only root-writable, so there's no
risk. Please read README carefully ;-)

>  2.   The code does not keep normal users from messing around in
>       the real /tmp directory. Use ///tmp, or chdir("/") and
>       use "tmp", or unset both HOME and TMPDIR, or symlink your
>       $HOME/tmp to /tmp, etc.

Yes. It redirects only typical requests. It won't protect /tmp itself, as
I wrote - you have to do 'chmod 755 /tmp'. Without this patch, your
programs won't work after above chmod. With patch, they will. It has been
mentioned in README, again.

>  3.   Some setuid programs do open temporary files in /tmp for
>       a reason; they do not expect them to be created in /etc.
>       They also do not expect that the user invoking the program
>       can flip to a different directory underneath of it. An
>       interesting attack (having redtmp loaded) would go like
>       this:

Setuid programs are NOT redirected to $HOME/tmp. If you want to force
setgid redirection too, simply modify code, but I can't see serious reason
to do it (any real-life examples, not 'hypotetical' examples - I can talk
about 'hypotetical' setuid program executing rm -rf / if only it detects
redtmp installed, but... ;-).

_______________________________________________________________________
Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]