Re: So I received a gpg-signed email, can I trust it?

To: debian-devel@lists.debian.org
Subject: Re: So I received a gpg-signed email, can I trust it?
From: Jakub Wilk <jwilk@debian.org>
Date: Fri, 8 Jul 2016 13:34:57 +0200
Message-id: <[🔎] 20160708113457.GA3716@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20160708092127.GA17962@enricozini.org>
References: <[🔎] 20160708092127.GA17962@enricozini.org>

* Enrico Zini <enrico@enricozini.org>, 2016-07-08, 11:21:

 $ mkdir /tmp/keyring
 $ chmod 0700 /tmp/keyring

This way of creating a directory inaccessible to other is racy. Betweenmkdir and chmod calls, the directory could be opened by an attacker (andthen kept open forever). A non-racy way looks like this:


$ mkdir -m 0700 foobar


And you really shouldn't use /tmp as a personal scratch space.
/tmp is word-writable and therefore not suitable for this purpose.

(Yes, I realize that these are just examples. But let's not teach peoplebad habits.)


--
Jakub Wilk

Reply to:

References:
- So I received a gpg-signed email, can I trust it?
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Bug#830475: ITP: r-cran-treescape -- GNU R Statistical Exploration of Landscapes of Phylogenetic Trees
Next by Date: Request for help - faithful source format (related to dgit)
Previous by thread: So I received a gpg-signed email, can I trust it?
Next by thread: Re: So I received a gpg-signed email, can I trust it?
Index(es):
- Date
- Thread