[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /run vs. /lib/run

On Friday 23 December 2005 10:36, Gabor Gombas <gombasg@sztaki.hu> wrote:
> On Thu, Dec 22, 2005 at 05:18:43PM +1100, Russell Coker wrote:
> > Putting system directories under /tmp is a really bad idea, it opens
> > possibilities of race condition attacks by unprivileged users against
> > system processes.  Generally for almost everything we should be looking
> > to reduce usage of /tmp rather than increase it.
> There are no user processes while scripts in /etc/rcS.d are running (not

There are processes run from rcS.d that use data written by untrusted user 
processes, /etc/init.d/nviboot is one example.

There are also processes that read network data (which is potentially 
hostile).  /etc/init.d/ntpdate is one example.

> even crontabs, since cron itself has not been started yet). And after
> rc.S has finished, there is no justification to use /run. I do not see
> the problem with using /tmp for /run.

Why not use /home?  Why not /root?  Both of those directories will work and 
should not be accessed from rcS.d, but for good design we don't want to do 

One of the problems with using a directory such as /tmp in a way other than 
it's usual design under extraordinary circumstances is that people will see 
the code in question, not understand the situation in which it was run, and 
write other code that runs in multi-user mode which does similar things.  
Another problem is that code which is written to run in single-user mode may 
get changed to run in multi-user mode.  A little thing like insecure 
temporary file use in /tmp is not something that a typical sys-admin or 
programmer is likely to notice when changing a program to run at a different 

> Moreover, I still mean to mount a temporary tmpfs over /tmp, so unless
> you explicitely do a "chmod a+w /tmp", normal user processes will not
> even be able to write to /tmp until the real /tmp is mounted (or if /tmp
> is on /, until the tmpfs is unmounted).

The default for a tmpfs is that the root directory is mode 1777, so if you 
don't explicitly remove such access then it's granted.  You might want to do 
some tests of some of the things you are suggesting.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: