[plug] Deleted tmp, Broken X
Christian
christian at amnet.net.au
Tue Jun 27 21:19:40 WST 2000
On Tue, Jun 27, 2000 at 03:08:48PM +0800, The Thought Assassin wrote:
> and mount that on /tmp. Symlinks aren't perfect.
> And for security reasons, most programs will not follow symlinks when
> writing temp files - what if a malicious user had created a file in /tmp
> that symlinks to some important file of yours? A program using that temp
> file would overwrite your important data. That is the major problem with
> symlinks, and the main reason they are not a perfect substitute.
Most programs? Do you have any statistics on the proportion of programs
which do such checks? I seriously doubt that anywhere near the majority
of programs do that sort of check (my guess is < 10% but that's just a
guess), and, even if they do, there is still a race condition inherent
if you open a file, do an fstat() and then re-open the file to write to
it. The way I've seen most often advocated for secure temporary file
creation is to do an open() with O_EXCL -- there are other possible ways
(eg, trying to create a truly random filename which is a much more
difficult and treacherous proposition) but that's the safest. Of
course, it's even better not to use publicly-writable temp directories
anyway. Create a ~/.tmp directory and then set TMPDIR to it for those
programs (also sadly possibly not the majority) which obey this.
Regards,
Christian.
More information about the plug
mailing list