[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: possible security flaw in screen 3.9.5-9

On Fri, Sep 08, 2000 at 06:33:01PM -0800, Ethan Benson wrote:
> On Sat, Sep 09, 2000 at 01:16:19PM +1100, CaT wrote:
> > 
> > For my system:
> > 
> > [13:09:22] root@nessie:/root>> find /var -perm +o+w -mount
> > [13:09:26] root@nessie:/root>>
> > 
> > I've not had problems. :)
> you have removed /var/lock? and i presume made /var/tmp its own

No. It's just not globally writeable.

> partition.  

Actually, I've not come across a use for it yet. From memory it is
there for things like editor temp files so that you can resurrect
your work after a crash. Basically, temp files which are not temp
enough to not survive a botoup. No need for it on my system (things
like vim, which is the only editor installed on my box, have been
configured to keep tmp files in a dir in the users home dir).

If I did have a need for it though, I'd make it a seperate partition,

> > Still, why does /var/lib/texmf/* need to be publically writeable?
> design flaws in tetex.  see the BTS for a long discussion about it.


> its not trivial to fix unfortunatly.  

doh. what do those files do? (if you know offhand)

> > That's a package I don't have installed.
> most people do since its priority standard.  

aye. I'd say it needs fixing also then. :)

> > > if your worried about users messing with /var put quotas on /var. 
> > 
> > If that's the only solution then yes, but why do we need global
> > write access to /var in the first place?
> /var/lock i am not sure about, i don't usually see anything in there,
> though right now i see a 
> -rw-r--r--    1 root     root           11 Sep  8 18:10 LCK..ttyS0
> which belongs to pppd, but it runs as root.

Yes. That's all I have in there also.

> /var/lock is cleaned on boot. 
> > > more headaches for /tmp cleaners and it does not solve any of the
> > > above problems.  to solve the above problems enforce quotas on /var
> > 
> > Well it does... Logging will go on etc. As for /tmp cleaners, somehting
> > like tmpwatch is a good start, but it'd be nice if it had an exclusion
> > list to the global timeout. It'd make it much more useful. :)
> like this (from /etc/cron.daily/tmpreaper):


> # ! Important !  Please read the manual regarding the --protect option.
> #                The pattern *MUST* be surrounded by single quotes.
> nice -n10 tmpreaper --mtime-dir --symlinks 7d  \
>   --protect '/tmp/.X*-{lock,unix,unix/*}' \
>   --protect '/tmp/.ICE-{unix,unix/*}' \
>   --protect '/tmp/.iroha_{unix,unix/*}' \
>   --protect '/tmp/.ki2-{unix,unix/*}' \
>   --protect '/tmp/.font-unix' \
>   --protect '/tmp/lost+found' \
>   --protect '/tmp/quota.user' \
>   --protect '/tmp/quota.group' \
>     /tmp

I'll be grabbing this when my HD stops getting roasted.

> still i don't think its good to overload /tmp with this kind of
> garbage more then necessary or that list could get rediculous.

Yes it could but then I think that's better then the alternative...
and if you REALLY wanted to, you could have a .debian or whatnot
dir in there to store all such things (or most of them/some of them)

> FHS may answer some of these questions too.

FHS? :)

CaT (cat@zip.com.au)

	'He had position, but I was determined to score.'
		-- Worf, DS9, Season 5: 'Let He Who Is Without Sin...'

Reply to: