Date: Thu, 9 Jan 1997 22:06:54 -0800 (PST) From: Steve Reid <steve@edmweb.com> To: Warner Losh <imp@village.org> Cc: freebsd-security@freebsd.org Subject: Re: Obvious fix for tempfile race conditions? Message-ID: <Pine.BSF.3.95.970109214858.1613A-100000@bitbucket.edmweb.com> In-Reply-To: <E0viZGn-0006Qz-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> : If I've got that much of it right, why not simply add a mount option > : to disable symlinks on a given filesystem? > Because it isn't needed? It is possible to safely remove file in /tmp > or other hostile grounds by using fchdir and comparing before and > after inode# and device# using stat and fstat. Just because it _can_ be done safely doesn't mean that it _is_ being done safely. Consider the problem with /etc/security in 2.1.x: the script redirected the output of several commands onto a temporary file in /tmp, but made no checks on that file before writing to it. Any user could predict the filename and create a symlink, causing /etc/security to write to any file on the system. An obvious problem, and one would expect a script named "security" to pay attention to such issues. I'd bet there are other, less obvious problems in other programs. Disabling symlinks in /tmp would greatly reduce a cracker's options.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970109214858.1613A-100000>