Re: /tmp exploits
> On Mon, Apr 20, 1998 at 11:47:20PM -0700, Guy Maor wrote:
>> Modifying libc to catch common security goals is a laudable goal, but
>> such a libc should go to experimental.
This may be a stupid question, but *what* /tmp exploit are we trying
to fix?
I ask solely because /tmp should already have some special attributes
set. Is this exploit something which is already solved by existing
permission flags? Is it something that could be solved by a new
permission flag?
How about this is as second proposal: modify libc, ext2fs and chattr
to support a new extended attribute:
chattr +X
This flag is only meaningful for directories. (The same bit could be
used for other purposes for files; perhaps we could reuse an existing
bit?)
If this is set, its immediate children will force O_EXCL if O_CREAT is
set. This is slightly different from the first proposal, since "broken"
code would still work *unless* an entry with the same name already
existed.
Since you aren't using a string comparison all of the problems associated
with it disappear. You could even walk the tree and set this bit on
*every* directory. Since it's controlled by a standard mechanism, it's
easy to write wrapper functions, when necessary, for suitably privileged
users.
Finally, since there is a workaround (chattr(); broken(); chattr();)
we can reasonably define this bit to apply to *all* users, including
root. If you don't want it at all, don't set the bit. If you do want
it but have broken applications, use wrappers.
Bear Giles
bear@coyotesong.com
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: