On Jan 3, 2008 4:09 PM, Dennis Peterson <[EMAIL PROTECTED]> wrote:
> The success of this requires a bit of serendipity as well. If for reasons of
> convenience the new TMPDIR is globally writeable then nothing has been
> accomplished
> which is why a global TMPDIR declaration is pointless.
Well, yes and no. Let's take the following case:
1) You're using software which creates then executes a temporary file
as .progname.day-of-month
2) The attacker knows this and has a remote attack to populate this
file in /tmp to give themselves root access
3) You've globally defined TMPDIR to be /tmp/42/
4) Attack fails
Ok, it doesn't help against a local attacker (and then you're in
trouble anyway), but against any remote attack making assumptions
about the location of temporary files it has some value.
Besides, I made no statement about global declarations ;)
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
