Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)

[Mark Delany <MarkD () BUSHWIRE NET>]

> > ... Programmers who write general purpose shells and editors and
> > sorts shouldn't have to worry about security issues.
>
> Why not? These programs tend to be used by vast numbers of people and
> security holes in them are very significant.

Agreed that good programmers should get this right, and perhaps for
programs that are used by "vast numbers" of people there is no excuse
for getting this wrong. But as this list has shown, even popular
programs get this wrong so it's a safe assumption that many lesser
known (or private) programs make the same mistake.

> > As you say, /tmp is pretty entrenched in a lot of code and it does
> > have some convenience and resource management benefits. A restricted
> > file system is probably the only realistic solution as that protects
> > all those future programmers who make the same mistake (and all us
> > lazy shell hackers).
>
> I am a lazy programmer. I don't bother to check that what I am doing is
> reliable or safe. Don't trust my code - it could wreck your system.

And that's the point. Even if you're the only person using your code -
if you use /tmp on a shared system, someone else can probably promote
themselves. In other words this problem is by no means constrained to
programs specifically written for general use.

The model on Unix is that programmers have to take additional and
unusual steps to give away rights. /tmp breaks that model.

The two choices seem to be to make sure that every programmer on the
planet who ever uses /tmp on a shared system knows of this flaw and
works around it - or change /tmp to fit the model.


Regards.