From owner-freebsd-questions Thu Jan 20 10:41:36 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 948B215196 for ; Thu, 20 Jan 2000 10:41:33 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id NAA73072; Thu, 20 Jan 2000 13:45:41 -0500 (EST) (envelope-from cjc) Date: Thu, 20 Jan 2000 13:45:41 -0500 From: "Crist J. Clark" To: Andriss Cc: questions@FreeBSD.ORG Subject: Re: suggestion to prevent /tmp races Message-ID: <20000120134541.B72914@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from andriss@andriss.com on Thu, Jan 20, 2000 at 11:23:49AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Jan 20, 2000 at 11:23:49AM -0500, Andriss wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hello, > > After reading the latest advisory on the make -j /tmp race I decided > to post to the list a suggestion that could theoretically prevent or > make significantly harder the /tmp races... > > For example, if you set the following permissions on /tmp: > > drwxrwx-wt 3 root wheel 512 Jan 20 11:17 tmp > > ... no ordinary users will be able to list the directory, but they > can list (and fully use) their own files if they know what the file > name is. Now, users don't have to list the directory at all! > They just have to be able to create the files, and use them. > > 99% of the time, it's some program that creates that files for the > user, for instance Pine. Not being able to list the directory would > not break this behaviour.. > > A similar suggestion could also apply to vi.recover.. Security through obscurity. This does not solve the race condition. It just gives the victim more of a head start. The attacker needs to now make guesses at the file name created. For many programs it is fixed (e.g. .) so he might not even need to guess. For others it is typically _XXXX where 'XXXX' is "random" characters. An attacker can make a lot of guesses and cover most or all of the namespace. A better method is for a user to make a 700 permission directory in /tmp, although there are still some details to making even that secure. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message