Date: Fri, 22 Feb 2002 18:18:31 -0800 From: Kris Kennaway <kris@obsecurity.org> To: =?iso-8859-1?Q?Milon_Papez=EDk?= <Milon.Papezik@oskarmobil.cz> Cc: 'Kris Kennaway' <kris@obsecurity.org>, 'Matthew Dillon' <dillon@apollo.backplane.com>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: RE: Third /tmp location ? Message-ID: <20020222181831.B17981@xor.obsecurity.org> In-Reply-To: <B57AF59C8ABFD411BBE000508BF300F303B70636@wh01ex01.oskarmobil.cz>; from Milon.Papezik@oskarmobil.cz on Sat, Feb 23, 2002 at 02:31:42AM %2B0100 References: <B57AF59C8ABFD411BBE000508BF300F303B70636@wh01ex01.oskarmobil.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sat, Feb 23, 2002 at 02:31:42AM +0100, Milon Papezík wrote: > Hi, > > I think that no utility shall create world writable directories on the fly. > It shall report an error and probably point out that environment variable > can be set. > > Also there seems to be too many places where hardcoded use of '/usr/tmp' is > attempted: Well, certainly utilities shouldn't be creating the directory on the fly but I don't see any major problems with using it as a fallback if it exists, since if it's there then it's a valid directory to use for temporary files. However, everything which uses a temporary directory should respect the canonical TMPDIR environment variable to allow the location to be user-specified. There are probably quite a few places which don't do this. This isn't really a security issue though, and should be taken to one of the code discussion lists if you want to take it further. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8dvv2Wry0BWjoQKURAulKAJ9q/FEp6SX2GRG4I2i2bH4rb3XtxgCfYHDl PMreddCneT6SIsfg6fE6bVs= =MgcM -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020222181831.B17981>