Re: proposal: per-user temporary directories on by default?

To: debian-devel@lists.debian.org
Subject: Re: proposal: per-user temporary directories on by default?
From: Tollef Fog Heen <tfheen@raw.no>
Date: Mon, 04 Aug 2003 07:56:22 +0200
Message-id: <[🔎] 87ispet189.fsf@yiwaz.raw.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] m1lluae9n1.fsf@seanchan.etherhogz.invalid> (Kevin Kreamer's message of "Sun, 03 Aug 2003 16:03:46 -0500")
References: <20030723211409.GA31197@dragon.kitenet.net> <pan.2003.07.24.05.13.40.106296@sourcefrog.net> <20030724161129.GA12355@dragon.kitenet.net> <20030724195005.GB7501@molehole.dyndns.org> <20030724225650.GA27904@rivest.dlitz.net> <20030725134417.GB10407@molehole.dyndns.org> <20030726120943.GA28230@lina.inka.de> <E19gOXY-0000T2-ST@mid.downhill.at.eu.org> <20030727081339.GA130212@morwong.ucc.gu.uwa.edu.au> <871xwbgyp8.fsf@yiwaz.raw.no> <[🔎] m1vftfec5b.fsf@seanchan.etherhogz.invalid> <[🔎] 87d6fmvfyg.fsf@yiwaz.raw.no> <[🔎] m1lluae9n1.fsf@seanchan.etherhogz.invalid>

* Kevin Kreamer 


[...]

| Ok, I've done some thinking on this as well, and this is what I've
| come up with.  I don't think making sure that the base directory is
| owned by root will protect you, as that would still allow an
| attacker to put a tmpdir in most system areas.  What we really need
| is to make sure that the tmpdir is created where the admin wants, not
| where the user wants.

Indeed, you are right.  Having it be 711 + owned by root would make
it pretty safe, though I don't want to do that, since suddenly
/var/run/sudo or something would be 711 and then you'd have a _big_
problem. 

| Since the helper has to be setuid, and has to runnable by anyone
| (since the PAM stuff uses the permissions of whoever is logging in),
| we can't pass the path into the helper.  It has to already know where
| to make the path.  So, it seems to me that the best approach is to
| have both pam_tmpdir.so and the helper read the configuration file
| independently to find out where to put the tmpdir.  However, since
| the helper won't know what service is being used, and therefore won't
| know which pam.d file to read, we'll have to use a completely
| independent config file (/etc/pam-tmpdir.conf or something like that).

Either that, or pass the service name on the command line.  it's
significantly less work to parse one's own configuration file than
parsing the PAM config file, so having a separate config file for
libpam-tmpdir might make sense.

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-

Reply to:

References:
- Re: proposal: per-user temporary directories on by default?
  - From: Kevin Kreamer <kkreamer@etherhogz.org>
- Re: proposal: per-user temporary directories on by default?
  - From: Tollef Fog Heen <tfheen@raw.no>
- Re: proposal: per-user temporary directories on by default?
  - From: Kevin Kreamer <kkreamer@etherhogz.org>

Prev by Date: Re: setuid/setgid binaries contained in the Debian repository.
Next by Date: Re: setuid/setgid binaries contained in the Debian repository.
Previous by thread: Re: proposal: per-user temporary directories on by default?
Next by thread: Re: proposal: per-user temporary directories on by default?
Index(es):
- Date
- Thread