Full Disclosure mailing list archives
Re: Symlink vulnerabilities
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sat, 22 Oct 2011 02:26:33 -0700
Actually, no; per user /tmp could only be accomplished, without a major redesign and without breaking almost every application
[citation needed] ;-) Only a fraction of apps uses /tmp... vendors can fix their own distros: grepping for "/tmp" isn't complicated, and almost every package usually ships with a handful of vendor-specific diffs anyway. You will break some third-party stuff people download from the Internet, but that's a self-correcting problem, and not exactly a horrible prospect: Linux distros break crappy software with almost every major release anyway, often due to far more fundamental changes (e.g. different /dev or /proc semantics, or moving libraries and includes around). The namespace / pseudo-fs approach is fairly ancient and works, but it's sort of ugly: it makes the filesystem behave counterintuitively in the rare case somebody actually has a legit use for /tmp. Not a big deal, but seems like an overcomplicated solution IMO. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Symlink vulnerabilities bugs (Oct 21)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 21)
- Re: Symlink vulnerabilities Michal Zalewski (Oct 21)
- Re: Symlink vulnerabilities Byron Sonne (Oct 21)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 21)
- Re: Symlink vulnerabilities Raj Mathur (राज माथुर) (Oct 21)
- Re: Symlink vulnerabilities James Condron (Oct 22)
- Re: Symlink vulnerabilities Michal Zalewski (Oct 22)
- Re: Symlink vulnerabilities Michal Zalewski (Oct 21)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 21)
- Re: Symlink vulnerabilities dave bl (Oct 21)
- Re: Symlink vulnerabilities bugs (Oct 22)
- Re: Symlink vulnerabilities Leon Kaiser (Oct 24)
- Re: Symlink vulnerabilities bugs (Oct 24)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
- Re: Symlink vulnerabilities bugs (Oct 25)
- Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)