From owner-freebsd-security  Fri Feb 22 20:24:27 2002
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-64-169-107-10.dsl.lsan03.pacbell.net [64.169.107.10])
	by hub.freebsd.org (Postfix) with ESMTP id D9ADA37B404
	for <freebsd-security@FreeBSD.ORG>; Fri, 22 Feb 2002 20:24:23 -0800 (PST)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 5969566C32; Fri, 22 Feb 2002 20:24:23 -0800 (PST)
Date: Fri, 22 Feb 2002 20:24:23 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Robert Herrold <bobber@intense.net>
Cc: Kris Kennaway <kris@obsecurity.org>,
	=?iso-8859-1?Q?Milon_Papez=EDk?= <Milon.Papezik@oskarmobil.cz>,
	'Matthew Dillon' <dillon@apollo.backplane.com>,
	"'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject: Re: RE: Third /tmp location ?
Message-ID: <20020222202422.A19056@xor.obsecurity.org>
References: <B57AF59C8ABFD411BBE000508BF300F303B70636@wh01ex01.oskarmobil.cz> <20020222181831.B17981@xor.obsecurity.org> <023101c1bc11$ddc49b40$6c01a8c0@mpcsecurity.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <023101c1bc11$ddc49b40$6c01a8c0@mpcsecurity.com>; from bobber@intense.net on Fri, Feb 22, 2002 at 08:29:06PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 22, 2002 at 08:29:06PM -0600, Robert Herrold wrote:

> This isn't really a security issue though, and should be taken to one
> of the code discussion lists if you want to take it further.
>=20
> Kris
>=20
> I disagree. This world writable tmp directory is vanilla with a fresh
> install. I don't think this is something to take lightly at all.

I was referring to the email I was immediately responding to,
regarding fixing /tmp usage in other applications in the tree.

Regarding the mkdir() in pkg_add, one should be careful in just
removing it, because the default /tmp and /var/tmp directories are
probably not large enough to be able to install huge packages like
e.g. tetex, because pkg_add unpacks the package in the temporary
directory before installing.  We have a number of packages which are
over 100MB in size, compressed, and if you don't have a temporary
directory available with enough space, installation from sysinstall
will fail.

Kris

--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8dxl2Wry0BWjoQKURAhLQAJ0WNs9I+bT2AX2jIZVd7TecMx6VzwCglC2X
gCmYeg3BUAlt4Dhps0soj5Q=
=Q06l
-----END PGP SIGNATURE-----

--k1lZvvs/B4yU6o8G--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message