On Fri, Nov 04, 2005 at 06:21:09PM +0100, Javier Fernández-Sanguino Peña wrote:
> A final point for consideration: libpam_tmpdir is not going to drive symlink
> attacks through temporary files away. There are packages that use temporary
> directories but are _not_ tmp. Some examples: the system's /var/lock/ and
> /dev/shm/, php4'as /var/lib/php4 (see #257111 for some discussion about
> this), php5's /var/lib/php5, transcriber's /var/lib/transcriber/ (fixed, see
> #257112), apache-common's /var/lib/apache/mod-bandwidth/ (see #257108, which
> was "fixed" with a simple note in the README.Debian file), tetex-base's
> /var/cache/fonts/{pk,source,tfm} and /var/spool/texmf/{pk,source,tfm}. All
> those are possible targets for security vulnerabilities for the programs that
> use them and will not be covered by the introduction of libpam_tmpdir.
Please explain what attack vector you see for /var/lib/php4. The semantics
for /var/lib/php4 were chosen very carefully to specifically *avoid*
security problems, and you made no mention in #257111 of specific attack
vectors that you were concerned about. The only attack vector I can foresee
here would be a brute force attack to guess the names of session files
located within the directory, which is unavoidable without moving to
per-uid session directories by default (which then doesn't meet the needs of
sites that share session files across security contexts).
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature