From owner-freebsd-security Fri Feb 22 15:27:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-107-10.dsl.lsan03.pacbell.net [64.169.107.10]) by hub.freebsd.org (Postfix) with ESMTP id A8AE837B400 for ; Fri, 22 Feb 2002 15:27:14 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4446566C32; Fri, 22 Feb 2002 15:27:14 -0800 (PST) Date: Fri, 22 Feb 2002 15:27:14 -0800 From: Kris Kennaway To: Kris Kennaway Cc: =?iso-8859-1?Q?Milon_Papez=EDk?= , 'Matthew Dillon' , "'freebsd-security@freebsd.org'" Subject: Re: RE: Third /tmp location ? Message-ID: <20020222152714.B16356@xor.obsecurity.org> References: <20020222152529.A16356@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020222152529.A16356@xor.obsecurity.org>; from kris@obsecurity.org on Fri, Feb 22, 2002 at 03:25:29PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 22, 2002 at 03:25:29PM -0800, Kris Kennaway wrote: > On Sat, Feb 23, 2002 at 12:13:55AM +0100, Milon Papez=EDk wrote: > > Hi, > >=20 > > I simply installed 4.5R from ISO image with separate /, /usr, /var and > > /home. > >=20 > > After some configuration I run automated security check (script) > > and it reported 3rd world writable directory /usr/tmp. > > That was quite a surprise to me, especially with respect > > to the debate over it some time ago on this list. >=20 > Hmm.. there are faint bells ringing in my head somewhere which are > telling me it might be something to do with pkg_add: I think I've seen > this once or twice before, but it didn't bother me enough to track it > down. It's pretty likely I'm just randomly associating but if anyone > is looking into this it might be something to check. Well, 10 seconds in the code shows this: /* Find a good place to play. */ static char * find_play_pen(char *pen, off_t sz) { char *cp; struct stat sb; if (pen[0] && isdir(dirname(pen)) =3D=3D TRUE && (min_free(dirname(pen)= ) >=3D sz)) return pen; else if ((cp =3D getenv("PKG_TMPDIR")) !=3D NULL && stat(cp, &sb) !=3D = FAIL && (min_free(cp) >=3D sz)) sprintf(pen, "%s/instmp.XXXXXX", cp); else if ((cp =3D getenv("TMPDIR")) !=3D NULL && stat(cp, &sb) !=3D FAIL= && (min_free(cp) >=3D sz)) sprintf(pen, "%s/instmp.XXXXXX", cp); else if (stat("/var/tmp", &sb) !=3D FAIL && min_free("/var/tmp") >=3D s= z) strcpy(pen, "/var/tmp/instmp.XXXXXX"); else if (stat("/tmp", &sb) !=3D FAIL && min_free("/tmp") >=3D sz) strcpy(pen, "/tmp/instmp.XXXXXX"); else if ((stat("/usr/tmp", &sb) =3D=3D SUCCESS || mkdir("/usr/tmp", 017= 77) =3D=3D SUCCESS) && min_free ("/usr/tmp") >=3D sz) strcpy(pen, "/usr/tmp/instmp.XXXXXX"); else { cleanup(0); errx(2, __FUNCTION__ ": can't find enough temporary space to extract the files, please set your\= n" "PKG_TMPDIR environment variable to a location with at least %ld bytes\n" "free", (long)sz); return NULL; } return pen; } If /var/tmp and /tmp aren't big enough to extract the package it creates /usr/tmp and uses it. Kris --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8dtPRWry0BWjoQKURAhNMAJ0XNdozTO1AshKkERwxFdxU/EvDNQCfWwHv W4JN/QXWzrss/bhbTPjmfKI= =Ce0P -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message