From owner-freebsd-security  Tue Jan  7 19:31:06 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id TAA09752
          for security-outgoing; Tue, 7 Jan 1997 19:31:06 -0800 (PST)
Received: from whorfin.sjca.edu (vo0amsCArqFn6BPjlHx4n3ZVdQtI3+Wk@whorfin.sjca.edu [199.89.180.2])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id TAA09739
          for <freebsd-security@freebsd.org>; Tue, 7 Jan 1997 19:31:03 -0800 (PST)
Received: from continuity.sjca.edu (slip-f.sjca.edu [199.89.180.254]) by whorfin.sjca.edu (8.8.3/8.8.3) with ESMTP id WAA29294 for <freebsd-security@freebsd.org>; Tue, 7 Jan 1997 22:30:59 -0500 (EST)
From: Matt Braithwaite <m-braithwaite@sjca.edu>
Received: (mab@localhost) by continuity.sjca.edu (8.7.5/8.6.12) id WAA02781; Tue, 7 Jan 1997 22:31:17 -0500 (EST)
Date: Tue, 7 Jan 1997 22:31:17 -0500 (EST)
Message-Id: <199701080331.WAA02781@continuity.sjca.edu>
Reply-To: m-braithwaite@sjca.edu
X-Organization: The Ancient Illuminated Seers of Bavaria
X-Url: <A HREF="http://www.sjca.edu/ph/m-braithwaite">my homepage</A>
To: freebsd-security@freebsd.org
Subject: Obvious fix for tempfile race conditions?
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

This seems pretty obvious to me, so maybe I have something wrong, but:

As I understand it, there is a class of security holes that derives
from the ability of a random user to create a symlink in /tmp to some
file, such that a root or SUID root program will follow the link and
either damage or in some cases alter the file to produce a security
hole.

If I've got that much of it right, why not simply add a mount option
to disable symlinks on a given filesystem?  (Not saying the
implementation is simple, just the idea. :-) ) /tmp is normally its
own filesystem, so this doesn't seem to have any major disadvantages.
And it doesn't require all those programs out there that do sloppy
things with temp files to be rewritten.  Of course there might be
programs that depend on the ability to make symlinks in /tmp, but I've
sure never seen any.  Maybe for these programs there could be
something like HTTPd's SymLinksIfOwnerMatch option...

Any comments?

- -- 
Matt Braithwaite #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL
http://          $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa
www.sjca.edu/    2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/^.|\W//g,print
ph/m-braithwaite pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length$n&~1)/2)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMtMUx56nR3MdS46dAQEEIAQAtCFCEC6SGhKUiZPJL0SDbK8nxgpeIcRT
1tNSXGiMqH4K8g2BWzQGFzv5s9MzsLuM5jxNSDViFOysGeDP8O4VjnF40/JELNft
+azyUQ1EJjAHI/xcSgZFD1dzov6sbxiI+CHKlV6NdOMFfBJGEaaObKMuXOJzcyjM
flUoY0DZbPY=
=EQ0I
-----END PGP SIGNATURE-----