From owner-freebsd-questions@FreeBSD.ORG Fri Dec 14 22:28:05 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A61416A419 for ; Fri, 14 Dec 2007 22:28:05 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id F23C013C4DB for ; Fri, 14 Dec 2007 22:28:04 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 79058654FD for ; Fri, 14 Dec 2007 16:28:04 -0600 (CST) Date: Fri, 14 Dec 2007 16:28:04 -0600 From: Paul Schmehl To: FreeBSD Questions Message-ID: X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ugidfw can prevent /tmp access? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Dec 2007 22:28:05 -0000 If you used ugidfw to prevent temp access to only the range of uid's you presently have, I'm thinking this should prevent an attacker from using /tmp to get around permissions restrictions. The question is, is there any kind of succint guide or list of what daemons need access to /tmp in order to function? Or do all daemons need this? -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/