Bugtraq mailing list archives
Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)
From: 0d0 <odo () MAIL TARP3 COM>
Date: Fri, 15 Dec 2000 16:08:59 -0800
On Thu, 14 Dec 2000, Mark Delany wrote: [snip]
Programmers who write general purpose shells and editors and sorts shouldn't have to worry about security issues.
Is this not the sort of justification we constantly see from vendors? Anyone who writes software for use on shareable systems, especially when their code may be sold (or GPLd or shared or plain given away) should be concerned about security issues. I'm sure that more than a few hundred lurkers on this list would agree that if a chance exists for an elevation of privileges on a system it will be found and taken advantage of and hopefully show up on Bugtraq so others can fix it... Insecure programming habits are no excuse.
I'm sure many people have been "guilty" of writing a quick and nasty shell script that ends in something like: >/tmp/out.$$
but why not: >./out.$$ or $MYTMP/out.$$ why not add a few lines in the ./configure scripts that will allow for the creation of a $HOME/tmp (if not found) with proper attributes set when the software is installed? Anyway, quick and nasty shell scripts are different than editors and shells. No one can predict where an admin is going to put some temprorary output (well maybe if they are well profiled) so the risk there is minimal at best. Just my $0.02 Regards, +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= Anthony R. Plastino III President, Tarp3 Enterprises, Inc. PO Box 7966, Tacoma WA, 98407 Voice: 253.227.5877 Fax: 253.383.7172 Email: tony.plastino () tarp3 com http://www.tarp3.com/
Current thread:
- Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Andrew Church (Dec 15)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mark Delany (Dec 16)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) 0d0 (Dec 18)
- Re: Is /tmp still appropriate? Hanspeter Schmid (Dec 20)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Michael Damm (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) stanislav shalunov (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Ryan Russell (Dec 18)
- Message not available
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) 0d0 (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Christian (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) DeRobertis (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mike A. Harris (Dec 19)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Kurt Seifried (Dec 19)
- Re: Is /tmp still appropriate? Peter W (Dec 19)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mark Delany (Dec 16)