From owner-freebsd-questions Thu Jan 20 11: 8:39 2000 Delivered-To: freebsd-questions@freebsd.org Received: from netmint.com (netmint.com [207.106.21.130]) by hub.freebsd.org (Postfix) with ESMTP id 6F74614DC7 for ; Thu, 20 Jan 2000 11:08:36 -0800 (PST) (envelope-from andriss@andriss.com) Received: from localhost (andriss@localhost) by netmint.com (8.9.3/8.9.3) with ESMTP id OAA94625; Thu, 20 Jan 2000 14:08:26 -0500 (EST) Date: Thu, 20 Jan 2000 14:08:22 -0500 (EST) From: Andriss X-Sender: andriss@netmint.com To: cjclark@home.com Cc: questions@FreeBSD.ORG Subject: Re: suggestion to prevent /tmp races In-Reply-To: <20000120134541.B72914@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- >This does not solve the race condition. It just gives the victim more >of a head start. The attacker needs to now make guesses at the file >name created. For many programs it is fixed (e.g. .) so >he might not even need to guess. For others it is typically >_XXXX where 'XXXX' is "random" characters. An attacker can >make a lot of guesses and cover most or all of the namespace. Yes, but there is a large number of pids, and if a user cannot list processes of other users, it would be blind guessing. If a system is configured to disallow ps -a and other ps combinations (for a user, a terminal, etc) and /proc is mounted with different permissions, and a few other modifications are made, the number of guesses required to make the right one would be so large that system accounting would catch that process. If you have a limit on CPU consumption by users, such a brute-force resource hog would be killed off by resource limiting... Anyway, the point is: the system can be configured so that guessing the filename is a difficult task.. >A better method is for a user to make a 700 permission directory in >/tmp, although there are still some details to making even that >secure. I agree, that would be more secure. The downside is that it would take forever to patch all programs that use /tmp to use /tmp/username instead and create (and permission) that directory properly. It is good idea though... Maybe a directory in /tmp should be created along with the directory in /home and permissioned properly by the adduser script? Andriss - -- ______________________________________________________________ Andrey Kholodenko http://www.andriss.com Download My Public PGP Key From http://www.andriss.com/pgp.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOIddKiQe9jf/ODl9AQHwUwQAr/hS/TGcCjT1g144/5eBhZIiiOmf3iHj aYa/mqu372f85urdkAQK/5A36GF4ZCZMfs/Xp9Vy2bobzk/9/p9uHtaeRLIzgevB VOWzyiTrjs4WFw/zkctlPNyCFeXJyl3t450/d+iZO4cE3rY1IXXcKK8LIzBSHoSF 4JPWLNUeWaQ= =h77Z -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message