Re: Insecure admin scripts with /tmp temp files

To: Topi Miettinen <Topi.Miettinen@ml.tele.fi>
Cc: debian-devel@lists.debian.org
Subject: Re: Insecure admin scripts with /tmp temp files
From: Bill Mitchell <mitchell@mozcom.com>
Date: Fri, 1 Aug 1997 08:24:09 +0800 (PHT)
Message-id: <[🔎] Pine.LNX.3.96.970801081830.173A-100000@S002>
In-reply-to: <[🔎] 199707310914.MAA26362@pop.ml.tele.fi>

On Thu, 31 Jul 1997, Topi Miettinen wrote:

> There are several administrative programs that use temporary files in /tmp
> without proper checking, resulting in major security holes. To make
> problems worse, many packages have {post,pre}{inst,rm} scripts with the
> same holes.
[... worrisome examples ...]
> Maybe there should be a set of rules for using temp files in security
> critical applications (perhaps in Developers manual or Policy manual). Here
> are a few suggestions:
[... suggestions ...]

How about something like:

    TMPDIR=/tmp/$$
    mkdir -m 600 $TMPDIR     # an error here causes an abort
    do_something >$TMPDIR/somefile
    [...]
    rm -rf $TMPDIR



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Insecure admin scripts with /tmp temp files
  - From: Topi Miettinen <Topi.Miettinen@ml.tele.fi>

Prev by Date: Re: dpkg-checkpackages
Next by Date: Re: boot-time kernel selection and /System.map mismatch
Previous by thread: Re: Insecure admin scripts with /tmp temp files
Next by thread: Libc6?
Index(es):
- Date
- Thread