On Friday 23 December 2005 10:36, Gabor Gombas <[EMAIL PROTECTED]> wrote: > On Thu, Dec 22, 2005 at 05:18:43PM +1100, Russell Coker wrote: > > Putting system directories under /tmp is a really bad idea, it opens > > possibilities of race condition attacks by unprivileged users against > > system processes. Generally for almost everything we should be looking > > to reduce usage of /tmp rather than increase it. > > There are no user processes while scripts in /etc/rcS.d are running (not
There are processes run from rcS.d that use data written by untrusted user processes, /etc/init.d/nviboot is one example. There are also processes that read network data (which is potentially hostile). /etc/init.d/ntpdate is one example. > even crontabs, since cron itself has not been started yet). And after > rc.S has finished, there is no justification to use /run. I do not see > the problem with using /tmp for /run. Why not use /home? Why not /root? Both of those directories will work and should not be accessed from rcS.d, but for good design we don't want to do this. One of the problems with using a directory such as /tmp in a way other than it's usual design under extraordinary circumstances is that people will see the code in question, not understand the situation in which it was run, and write other code that runs in multi-user mode which does similar things. Another problem is that code which is written to run in single-user mode may get changed to run in multi-user mode. A little thing like insecure temporary file use in /tmp is not something that a typical sys-admin or programmer is likely to notice when changing a program to run at a different time. > Moreover, I still mean to mount a temporary tmpfs over /tmp, so unless > you explicitely do a "chmod a+w /tmp", normal user processes will not > even be able to write to /tmp until the real /tmp is mounted (or if /tmp > is on /, until the tmpfs is unmounted). The default for a tmpfs is that the root directory is mode 1777, so if you don't explicitly remove such access then it's granted. You might want to do some tests of some of the things you are suggesting. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
