Date: Fri, 22 Feb 2002 18:18:31 -0800 From: Kris Kennaway <kris@obsecurity.org> To: =?iso-8859-1?Q?Milon_Papez=EDk?= <Milon.Papezik@oskarmobil.cz> Cc: 'Kris Kennaway' <kris@obsecurity.org>, 'Matthew Dillon' <dillon@apollo.backplane.com>, "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: RE: Third /tmp location ? Message-ID: <20020222181831.B17981@xor.obsecurity.org> In-Reply-To: <B57AF59C8ABFD411BBE000508BF300F303B70636@wh01ex01.oskarmobil.cz>; from Milon.Papezik@oskarmobil.cz on Sat, Feb 23, 2002 at 02:31:42AM %2B0100 References: <B57AF59C8ABFD411BBE000508BF300F303B70636@wh01ex01.oskarmobil.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
--envbJBWh7q8WU6mo Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 23, 2002 at 02:31:42AM +0100, Milon Papez=EDk wrote: > Hi, >=20 > I think that no utility shall create world writable directories on the fl= y. > It shall report an error and probably point out that environment variable > can be set. >=20 > Also there seems to be too many places where hardcoded use of '/usr/tmp' = is > attempted: Well, certainly utilities shouldn't be creating the directory on the fly but I don't see any major problems with using it as a fallback if it exists, since if it's there then it's a valid directory to use for temporary files. However, everything which uses a temporary directory should respect the canonical TMPDIR environment variable to allow the location to be user-specified. There are probably quite a few places which don't do this. This isn't really a security issue though, and should be taken to one of the code discussion lists if you want to take it further. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8dvv2Wry0BWjoQKURAulKAJ9q/FEp6SX2GRG4I2i2bH4rb3XtxgCfYHDl PMreddCneT6SIsfg6fE6bVs= =MgcM -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020222181831.B17981>