[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: possible security flaw in screen 3.9.5-9

On Sat, Sep 09, 2000 at 01:16:19PM +1100, CaT wrote:

> For my system:
> [13:09:22] root@nessie:/root>> find /var -perm +o+w -mount
> [13:09:26] root@nessie:/root>>
> I've not had problems. :)

you have removed /var/lock? and i presume made /var/tmp its own

> Still, why does /var/lib/texmf/* need to be publically writeable?

design flaws in tetex.  see the BTS for a long discussion about it.
its not trivial to fix unfortunatly.  

> That's a package I don't have installed.

most people do since its priority standard.  

> > if your worried about users messing with /var put quotas on /var. 
> If that's the only solution then yes, but why do we need global
> write access to /var in the first place?

/var/lock i am not sure about, i don't usually see anything in there,
though right now i see a 
-rw-r--r--    1 root     root           11 Sep  8 18:10 LCK..ttyS0

which belongs to pppd, but it runs as root.

/var/lock is cleaned on boot. 

> > more headaches for /tmp cleaners and it does not solve any of the
> > above problems.  to solve the above problems enforce quotas on /var
> Well it does... Logging will go on etc. As for /tmp cleaners, somehting
> like tmpwatch is a good start, but it'd be nice if it had an exclusion
> list to the global timeout. It'd make it much more useful. :)

like this (from /etc/cron.daily/tmpreaper):

# ! Important !  Please read the manual regarding the --protect option.
#                The pattern *MUST* be surrounded by single quotes.

nice -n10 tmpreaper --mtime-dir --symlinks 7d  \
  --protect '/tmp/.X*-{lock,unix,unix/*}' \
  --protect '/tmp/.ICE-{unix,unix/*}' \
  --protect '/tmp/.iroha_{unix,unix/*}' \
  --protect '/tmp/.ki2-{unix,unix/*}' \
  --protect '/tmp/.font-unix' \
  --protect '/tmp/lost+found' \
  --protect '/tmp/quota.user' \
  --protect '/tmp/quota.group' \

still i don't think its good to overload /tmp with this kind of
garbage more then necessary or that list could get rediculous.

FHS may answer some of these questions too.

Ethan Benson

Attachment: pgp3QoZztasZZ.pgp
Description: PGP signature

Reply to: