pam_tmpdir, etc

Martin Pool mbp at sourcefrog.net
Thu Oct 28 22:36:59 CDT 2004 

On 28 Oct 2004, Matt Zimmerman <matt.zimmerman at canonical.com> wrote:
> On Fri, Oct 29, 2004 at 11:58:48AM +1000, Robert Collins wrote:
> > On Fri, 2004-10-29 at 11:56 +1000, Martin Pool wrote:
> > > I saw this morning yet another tmpfile security advisory for Debian.
> > > 
> > > I have an open bug against Debian to have per-user $TMPDIR
> > > automatically set up using something like pam_tmpdir.  This is
> > > technically feasible and eliminates a whole class of security problems
> > > -- perhaps thirty or more DSAs in the last few years.
> > > 
> > > As you might expect, a global change got bogged down in off-topic
> > > debian-devel threads, but it would be great if Ubuntu could put it in.
> > > 
> > > http://lists.debian.org/debian-devel-0307/msg01708.html
> > 
> > Thats a good point you raise... Jeff/ Matt, is this feasible as a
> > feature goal for hoary ?
> 
> Does anyone mind if we take this to ubuntu-devel at lists.ubuntu.com?  Feel
> free to quote me there.

No, not at all, I was just lazy.

> I think it would be a great thing to try out in Hoary, to do something
> proactive about insecure temporary files.  pam_tmpdir is only one of the
> available pre-existing solutions, and there are also various ways that we
> could tackle this on our own.

There are a lot of other possibilities, some of which are discussed on
the d-d thread.  In the long term I think I would like to eliminate
the world-writable /tmp altogether, though that would probably break
too many scripts.

> One of the shortcomings of pam_tmpdir is that it won't have any effect on
> programs which don't honor TMPDIR.  Yes, those programs are arguably buggy,
> but programs with temporary file vulnerabilities were already buggy. :-)

Yes, that's true.  It may be a smaller number of programs though, and
to some extent this is a numbers game.

The main thing is to resolve to do something about it, rather than
just waiting for the next vulnerability to be discovered.  Gentoo just
fixed one in ed, for heaven's sake.  Make the default safe.

Any long-established interface is likely to have some people and
programs who depend on every quirk, but sometimes you just have to
break them.

(Ask yourself: what would djb do? :-)

-- 
Martin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20041029/98ad5006/attachment.pgp

More information about the ubuntu-devel mailing list