From owner-freebsd-security  Tue Jun  6 23:12:19 2000
Delivered-To: freebsd-security@freebsd.org
Received: from tellurus.tellurian.com.au (tellurus.tellurian.com.au [203.20.69.193])
	by hub.freebsd.org (Postfix) with ESMTP id 7A3EB37B6EE
	for <freebsd-security@FreeBSD.org>; Tue,  6 Jun 2000 23:12:14 -0700 (PDT)
	(envelope-from john@tellurus.tellurian.com.au)
Received: (from john@localhost) by tellurus.tellurian.com.au (8.8.5/8.7.3) id PAA25984; Wed, 7 Jun 2000 15:52:29 +0930 (CST)
From: John Brazel <john@tellurian.com.au>
Message-Id: <200006070622.PAA25984@tellurus.tellurian.com.au>
Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug)
To: Cy.Schubert@uumail.gov.bc.ca
Date: Wed, 7 Jun 100 15:52:28 +0930 (CST)
Cc: freebsd-security@FreeBSD.org
In-Reply-To: <200006070424.e574Od303232@cwsys.cwsent.com> from "Cy Schubert - ITSD Open Systems Group" at Jun 6, 0 09:24:34 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> >From a security standpoint a shared temporary filesystem coupled with 
> applications written as they are can be an invitation for compromise.  
> Suggestions ranging from no temporary filesystem at all to 
> subdirectories in /tmp for each user have been discussed on 
> FreeBSD-security and BUGTRAQ for many years.  Of course for root 
> /var/run reduces the risk.  The concept of a virtual temporary 
> filesystem for each user, e.g. /tmp as and address space addressable by 
> a single process group and only sharable by that process group or even 
> a single process, might go a long way to mitigate some of the risk.  

	What exactly ARE all the risks? At the risk of 'over-enthusiasm'
	(for want of a better phrase), would a purpose-written,
	security-oriented filesystem solve it?

	Something like /tmp, but with an embedded sticky bit (permanently
	set) and the inability to create symlinks (the symlink(2) syscall
	would return ENOSYS for that filesystem).

	The question, of course, is, would this fix enough of the problems
	to warrant all the effort? At the very least, backward compatibility
	wouldn't be affected.

J.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message