proposal: per-user temporary directories on by default?
There has been about one temporary file vulnerability in Debian per
month since the start of the year.
Given the number of relatively unaudited programs that create
temporary files and the possible complexity of tempfile
vulnerabilities, I am not sure that all the problems will be found and
fixed any time soon. In addition, on many machines there are probably
a fair number of local programs and scripts that make tempfiles
insecurely.
Most of the vulnerabilities could be hidden by per-user tempdirs.
That's not to say they should not be fixed for the benefit of people
on other systems or out of general cleanliness, but making them
unexploitable would be highly desirable.
There is already a PAM modules, libpam-tmpdir which automatically sets
this up on login by creating a per-user directory under /tmp and
pointing TMPDIR at it. Despite the scary low version number of 0.04
it seems to work reliably and presumably any bugs could be fixed.
At the least I would like to see Debian prompt for this at
installation much as it does for shadow passwords. Ideally it would
be on by default.
Perhaps some programs rely on temp files that are readable across
accounts, though I can't really think of any such. To fail, I think
they would have to create a temporary file as one user and then need
to access it as another non-root user. That seems a bit contrived.
It's possible there are some programs that are hardcoded to /tmp, but
that should be straightforward to detect, find and fix.
Doing this through PAM may cause issues with daemons that are started
by root but then change to another account that is not able to access
root's tmpdir. However it ought to be straightforward to resolve this
if there is a general principle of per-user directories. I think if
the daemon is started through su it will be OK.
--
Martin
Reply to: