Date: Fri, 22 Feb 2002 15:27:14 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: =?iso-8859-1?Q?Milon_Papez=EDk?= <Milon.Papezik@oskarmobil.cz>, 'Matthew Dillon' <dillon@apollo.backplane.com>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: RE: Third /tmp location ? Message-ID: <20020222152714.B16356@xor.obsecurity.org> In-Reply-To: <20020222152529.A16356@xor.obsecurity.org>; from kris@obsecurity.org on Fri, Feb 22, 2002 at 03:25:29PM -0800 References: <B57AF59C8ABFD411BBE000508BF300F303B70634@wh01ex01.oskarmobil.cz> <20020222152529.A16356@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Fri, Feb 22, 2002 at 03:25:29PM -0800, Kris Kennaway wrote:
> On Sat, Feb 23, 2002 at 12:13:55AM +0100, Milon Papezík wrote:
> > Hi,
> >
> > I simply installed 4.5R from ISO image with separate /, /usr, /var and
> > /home.
> >
> > After some configuration I run automated security check (script)
> > and it reported 3rd world writable directory /usr/tmp.
> > That was quite a surprise to me, especially with respect
> > to the debate over it some time ago on this list.
>
> Hmm.. there are faint bells ringing in my head somewhere which are
> telling me it might be something to do with pkg_add: I think I've seen
> this once or twice before, but it didn't bother me enough to track it
> down. It's pretty likely I'm just randomly associating but if anyone
> is looking into this it might be something to check.
Well, 10 seconds in the code shows this:
/* Find a good place to play. */
static char *
find_play_pen(char *pen, off_t sz)
{
char *cp;
struct stat sb;
if (pen[0] && isdir(dirname(pen)) == TRUE && (min_free(dirname(pen)) >= sz))
return pen;
else if ((cp = getenv("PKG_TMPDIR")) != NULL && stat(cp, &sb) != FAIL && (min_free(cp) >= sz))
sprintf(pen, "%s/instmp.XXXXXX", cp);
else if ((cp = getenv("TMPDIR")) != NULL && stat(cp, &sb) != FAIL && (min_free(cp) >= sz))
sprintf(pen, "%s/instmp.XXXXXX", cp);
else if (stat("/var/tmp", &sb) != FAIL && min_free("/var/tmp") >= sz)
strcpy(pen, "/var/tmp/instmp.XXXXXX");
else if (stat("/tmp", &sb) != FAIL && min_free("/tmp") >= sz)
strcpy(pen, "/tmp/instmp.XXXXXX");
else if ((stat("/usr/tmp", &sb) == SUCCESS || mkdir("/usr/tmp", 01777) == SUCCESS) && min_free
("/usr/tmp") >= sz)
strcpy(pen, "/usr/tmp/instmp.XXXXXX");
else {
cleanup(0);
errx(2, __FUNCTION__
": can't find enough temporary space to extract the files, please set your\n"
"PKG_TMPDIR environment variable to a location with at least %ld bytes\n"
"free", (long)sz);
return NULL;
}
return pen;
}
If /var/tmp and /tmp aren't big enough to extract the package it
creates /usr/tmp and uses it.
Kris
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8dtPRWry0BWjoQKURAhNMAJ0XNdozTO1AshKkERwxFdxU/EvDNQCfWwHv
W4JN/QXWzrss/bhbTPjmfKI=
=Ce0P
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020222152714.B16356>