Re: overwrite any file with updatedb
On Tue, Mar 03, 1998 at 01:57:33PM -0500, Bryan Andregg wrote:
> >That's a solution? Sounds like Russian Roulette. It narrows the
> >window if danger tremendously, but doesn't eliminate it. There must
> >be a better answer.
> The solution is not to patch to make harder to predict file names but to
> create those files with mkstemp instead of mktemp. Sorry I wasn't more clear
> in the first place.
In my humble opinion *any* temporary file created with root-privileges
should reside in a special tmp directory like /var/adm/tmp or something
equal. This would deny *any* symlink-attacks, no matter how poor the
design of the program used is. You cannot rely on something which is not
proven to be used by everbody. So mktemp and mkstemp, etc. should
go and make their files in the desired directory if called by uid or euid
just my $.02
Sascha Runschke private eMail : email@example.com
Cell: +49-(0)177-2767693 Debian related : firstname.lastname@example.org
Get the power of Debian-linux - http://www.debian.org
Key fingerprint = EE354ADB C23E5FD4 38DDBBE7 8F065DBF
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
Trouble? e-mail to email@example.com .