From owner-freebsd-security  Thu Jan  9 22:20:36 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id WAA21503
          for security-outgoing; Thu, 9 Jan 1997 22:20:36 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id WAA21461
          for <freebsd-security@freebsd.org>; Thu, 9 Jan 1997 22:20:06 -0800 (PST)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 0.56 #1)
	id E0viaIK-0006bf-00; Thu, 9 Jan 1997 23:18:24 -0700
To: Steve Reid <steve@edmweb.com>
Subject: Re: Obvious fix for tempfile race conditions? 
Cc: freebsd-security@freebsd.org
In-reply-to: Your message of "Thu, 09 Jan 1997 22:06:54 PST."
		<Pine.BSF.3.95.970109214858.1613A-100000@bitbucket.edmweb.com> 
References: <Pine.BSF.3.95.970109214858.1613A-100000@bitbucket.edmweb.com>  
Date: Thu, 09 Jan 1997 23:18:24 -0700
From: Warner Losh <imp@village.org>
Message-Id: <E0viaIK-0006bf-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <Pine.BSF.3.95.970109214858.1613A-100000@bitbucket.edmweb.com> Steve Reid writes:
: Just because it _can_ be done safely doesn't mean that it _is_ being
: done safely. 

But it *IS* being done safely on OpenBSD.  I see no reason why it
can't be so on FreeBSD.  The example you cited was just security
ignorance on the part of the /etc/security writer.

For example, I have /tmp not on my root, but on my /usr, so /tmp
itself is a symlink.  This proposed change would work only for systems
that had /tmp being its own partion.  Other systems would still be
volunerable because we can't disable symlinks on / w/o breaking a
whole lot of things (remote dumping, and termcap come to mind).  In
addition, it is nice to have things like tftpboot not on /, but
pointing off somewhere else.

: I'd bet there are other, less obvious problems in other programs. 

You are right.  I have some changes in my queue to fix that however.

: Disabling symlinks in /tmp would greatly reduce a cracker's options. 

Not really.  There are so many holes in FreeBSD right now, I doubt it
would slow them down much.  Holes I'm working on closing, BTW.  Here
"so many" mean "at least one known that gives you root."

It's a nice idea to have the kernel somehow magically solve the
problems of security, but often times there is no substitute for good
coding habits.  Paraphrasing Brooks, There are no silver bullets in
security.

Warner