Date: Tue, 7 Jan 1997 22:31:17 -0500 (EST) From: Matt Braithwaite <m-braithwaite@sjca.edu> To: freebsd-security@freebsd.org Subject: Obvious fix for tempfile race conditions? Message-ID: <199701080331.WAA02781@continuity.sjca.edu>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- This seems pretty obvious to me, so maybe I have something wrong, but: As I understand it, there is a class of security holes that derives from the ability of a random user to create a symlink in /tmp to some file, such that a root or SUID root program will follow the link and either damage or in some cases alter the file to produce a security hole. If I've got that much of it right, why not simply add a mount option to disable symlinks on a given filesystem? (Not saying the implementation is simple, just the idea. :-) ) /tmp is normally its own filesystem, so this doesn't seem to have any major disadvantages. And it doesn't require all those programs out there that do sloppy things with temp files to be rewritten. Of course there might be programs that depend on the ability to make symlinks in /tmp, but I've sure never seen any. Maybe for these programs there could be something like HTTPd's SymLinksIfOwnerMatch option... Any comments? - -- Matt Braithwaite #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL http:// $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa www.sjca.edu/ 2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/^.|\W//g,print ph/m-braithwaite pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length$n&~1)/2) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBMtMUx56nR3MdS46dAQEEIAQAtCFCEC6SGhKUiZPJL0SDbK8nxgpeIcRT 1tNSXGiMqH4K8g2BWzQGFzv5s9MzsLuM5jxNSDViFOysGeDP8O4VjnF40/JELNft +azyUQ1EJjAHI/xcSgZFD1dzov6sbxiI+CHKlV6NdOMFfBJGEaaObKMuXOJzcyjM flUoY0DZbPY= =EQ0I -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701080331.WAA02781>