[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mutt & tmp files

Wade Richards wrote:

> >I still say the bottom line is, if you don't trust root, don't use his
> >machine.
> This is the sort of absolutist nonsense that gives security experts a
> bad name.  After all, anyone armed with a chainsaw can cut through a
> solid oak door in a matter of hours, so why bother installing a deadbolt
> on your door?

To keep out all the people who don't have chainsaws, obviously. But on
*nix machines, root has a chainsaw, and plenty of other tools also. He
can also get a key to your deadbolt if he really wants it.

> Some security is better than no security.  More security is better than
> less security.  If you find a security flaw in a system, you should try
> to fix that flaw, even if the system is not otherwise perfect.

True, but not relevant. The very fact that the cleartext of the email
exists on disk as a linked file for only a brief period is enough to
prevent casual browsing from discovering very much. So the issue is
whether additional measures really buy you very much. My view is that
the measures proposed in this thread were either not worth the trouble,
or required root's assistance to set up (e.g. a ramdisk). In the latter
case, if root really wants to spy on you, he'll either refuse to set up
whatever security infrastructure you're asking for, or he'll ensure that
your "security" is illusory in one way or another.

> For example, I'm root on my machine.  I'm nosy.  I'd like to know what
> the people who use my machine are saying about me in e-mail.  If I can
> grab the contents of a file from /tmp, I just might do that.

Thing is, as I said above, you have to grab the file while during a
pretty narrow window. It only exists between the time the user decides
to write a mail, and the time his MUA turns it over to the MTA (or gpg).
After that, it's gone. Quite possibly, in many cases, the file will have
nothing but headers (if that) in it until the user is done writing it --
meaning that the text you want to read may only exist as a readable file
for a few seconds.

> But I'm also lazy.  I'm not going to spend hours or weeks writing code to
> install a tty sniffer, find enough disk space for the logs, and search
> through the log files for something interesting.  I'm a nozy root,
> I'm not a masochistic root.

So you also aren't going to be watching user processes like a hawk to
wait for an editor that is the child of an MUA process to save and close
a file in /tmp, and then grab it before it vanishes a few seconds later,
and read it subsequently to see if you happen to be mentioned (possibly
not by name, so you can't just grep for that).

> Also, what makes you thing root "knows what he's doing?"  I suspect that 
> many people with the "root" password could not install a tty sniffer or 
> any other spying tool unless they could type "apt-get install ttysniffer".

Then they also won't be capable of effectively monitoring /tmp for
interesting emails about to be sent.


Reply to: