Tollef Fog Heen <tfheen@raw.no> writes: > * Kevin Kreamer > [...] > > | [1] My solution as to how to get the path from libpam-tmpdir to > | pam-tmpdir-helper was to pass it on the command line. But, since > | anyone can run pam-tmpdir-helper, anyone can create any tmpdir they > | like anywhere on the system. Very bad. > > Adding a sanity check that the base directory is owned by root, would > that suffice? > > I think I'll have to think about this a little. Ok, I've done some thinking on this as well, and this is what I've come up with. I don't think making sure that the base directory is owned by root will protect you, as that would still allow an attacker to put a tmpdir in most system areas. What we really need is to make sure that the tmpdir is created where the admin wants, not where the user wants. Since the helper has to be setuid, and has to runnable by anyone (since the PAM stuff uses the permissions of whoever is logging in), we can't pass the path into the helper. It has to already know where to make the path. So, it seems to me that the best approach is to have both pam_tmpdir.so and the helper read the configuration file independently to find out where to put the tmpdir. However, since the helper won't know what service is being used, and therefore won't know which pam.d file to read, we'll have to use a completely independent config file (/etc/pam-tmpdir.conf or something like that). What do you think? Kevin
Attachment:
pgp2L0Y2Jk9o4.pgp
Description: PGP signature