Re: possible security flaw in screen 3.9.5-9
On Fri, Sep 08, 2000 at 06:33:01PM -0800, Ethan Benson wrote:
> On Sat, Sep 09, 2000 at 01:16:19PM +1100, CaT wrote:
>
> >
> > For my system:
> >
> > [13:09:22] root@nessie:/root>> find /var -perm +o+w -mount
> > [13:09:26] root@nessie:/root>>
> >
> > I've not had problems. :)
>
> you have removed /var/lock? and i presume made /var/tmp its own
No. It's just not globally writeable.
> partition.
Actually, I've not come across a use for it yet. From memory it is
there for things like editor temp files so that you can resurrect
your work after a crash. Basically, temp files which are not temp
enough to not survive a botoup. No need for it on my system (things
like vim, which is the only editor installed on my box, have been
configured to keep tmp files in a dir in the users home dir).
If I did have a need for it though, I'd make it a seperate partition,
yes.
> > Still, why does /var/lib/texmf/* need to be publically writeable?
>
> design flaws in tetex. see the BTS for a long discussion about it.
BTS?
> its not trivial to fix unfortunatly.
doh. what do those files do? (if you know offhand)
> > That's a package I don't have installed.
>
> most people do since its priority standard.
aye. I'd say it needs fixing also then. :)
> > > if your worried about users messing with /var put quotas on /var.
> >
> > If that's the only solution then yes, but why do we need global
> > write access to /var in the first place?
>
> /var/lock i am not sure about, i don't usually see anything in there,
> though right now i see a
> -rw-r--r-- 1 root root 11 Sep 8 18:10 LCK..ttyS0
>
> which belongs to pppd, but it runs as root.
Yes. That's all I have in there also.
> /var/lock is cleaned on boot.
>
> > > more headaches for /tmp cleaners and it does not solve any of the
> > > above problems. to solve the above problems enforce quotas on /var
> >
> > Well it does... Logging will go on etc. As for /tmp cleaners, somehting
> > like tmpwatch is a good start, but it'd be nice if it had an exclusion
> > list to the global timeout. It'd make it much more useful. :)
>
> like this (from /etc/cron.daily/tmpreaper):
Ooo!
> # ! Important ! Please read the manual regarding the --protect option.
> # The pattern *MUST* be surrounded by single quotes.
>
> nice -n10 tmpreaper --mtime-dir --symlinks 7d \
> --protect '/tmp/.X*-{lock,unix,unix/*}' \
> --protect '/tmp/.ICE-{unix,unix/*}' \
> --protect '/tmp/.iroha_{unix,unix/*}' \
> --protect '/tmp/.ki2-{unix,unix/*}' \
> --protect '/tmp/.font-unix' \
> --protect '/tmp/lost+found' \
> --protect '/tmp/quota.user' \
> --protect '/tmp/quota.group' \
> /tmp
I'll be grabbing this when my HD stops getting roasted.
> still i don't think its good to overload /tmp with this kind of
> garbage more then necessary or that list could get rediculous.
Yes it could but then I think that's better then the alternative...
and if you REALLY wanted to, you could have a .debian or whatnot
dir in there to store all such things (or most of them/some of them)
> FHS may answer some of these questions too.
FHS? :)
--
CaT (cat@zip.com.au)
'He had position, but I was determined to score.'
-- Worf, DS9, Season 5: 'Let He Who Is Without Sin...'
Reply to: