hi, On Thu, Nov 03, 2005 at 11:16:43PM -0500, Noah Meyerhans wrote: > Within the security team, there has recently been some talk of pushing > for per-user temp directories by default in etch. I'd like to see what > people's reaction to such a proposal would be. granted that i don't know the specifics of this module, but from my perspective i think it would be reasonable to include this in the default setup. > There are a number of outstanding "insecure tempfile vulnerabilities", > and there has been some talk that they're both too numerous and of low > enough impact that they're not even worth releasing DSAs for. Never the > less, they are potentially dangerous and should be dealt with on some > level. We believe that using libpam_tmpdir by default should make > nearly all of these vulnerabilities cease to be relevant (there are some well, cease to be relevant for releases after etch, maybe... but you still have the lifespan of woody + sarge + etch during which they would still be relevant. so this isn't exactly an immediate benefit :) sean --
Attachment:
signature.asc
Description: Digital signature