Bugtraq mailing list archives
Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability)
From: Christian <christian () dijkstra MURDOCH EDU AU>
Date: Sun, 17 Dec 2000 11:18:52 +0800
On Thu, Dec 14, 2000 at 10:51:27PM +0000, Mark Delany wrote:
I'm not so sure that the Internet is the cause of anti-social users sharing Unix systems.. Be that as it may, one of the biggest issues with using /tmp is it creates a security issue for a whole class of programs and programmers that generally don't have to worry about security. Programmers who write general purpose shells and editors and sorts shouldn't have to worry about security issues.
I'm afraid I have to strongly disagree with this. Any program that has to deal with untrusted data (i.e., the source of the data is not the user running the program) has to consider security issues. If people who write shells and editors don't have to worry about these things then these shells can never operate on any filenames or directory names etc. that do not belong to the user running the shell. Similarly editors cannot operate on files that come from other users. The situation is bad enough now but imagine if you couldn't be sure whether you could safely open up and hack that C program you just downloaded... Unfortunately all programmers need to have a basic awareness of security issues. Educating them all is obviously an ENORMOUS job and making the decision that /tmp should no longer be used and thus taken out of the equation doesn't make this job significantly smaller. Regards, Christian.
Current thread:
- Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Andrew Church (Dec 15)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mark Delany (Dec 16)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) 0d0 (Dec 18)
- Re: Is /tmp still appropriate? Hanspeter Schmid (Dec 20)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Michael Damm (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) stanislav shalunov (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Ryan Russell (Dec 18)
- Message not available
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) 0d0 (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Christian (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) DeRobertis (Dec 18)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mike A. Harris (Dec 19)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Kurt Seifried (Dec 19)
- Re: Is /tmp still appropriate? Peter W (Dec 19)
- Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary file hijacking vulnerability) Mark Delany (Dec 16)