In reply to your message dated: Fri, 26 Jun 1998 09:24:17 +0200 >Tiger v2.2.3 > >the $WORKDIR of tiger 2.2.3 is set to /tmp and many >temporary files are being written there (it would exeed >all limits to mention all the lines) ... >to prevent the raceconditions, $TIGER_HOME/tmp should be created by >default and $WORKDIR in the config file set to it. >See below for a patch. I had seen the patch via the current maintainer of Tiger, and had told them not to issue it. This is not the best approach as many people run Tiger off of R/O floppy diskettes, and this won't work in that situation. As an interim solution, the user should create a scratch directory specifically for Tiger, R/W only by root (there is no reason for anyone else to be able to read the directory). Set WORKDIR to point to this directory. `/var/spool/tiger' would probably be reasonable. I've not decided on an "automated" solution that is acceptable, thus the lack of a patch. >closing remarks: I was shocked when I found these bugs. These security tools >have been around since years - and yet nobody had checked this ?? >If this is a reflection of our security consciousness, well, we are in big >trouble since a long time and things are not getting better (especially with >M$ around) Perhaps these tools should have been shuffled up on the priority queue, because they have "security" associated with them, but it doesn't really matter. If the "hack" succeeds, it succeeds... does not matter what the programs purpose in life was... I also think many believe that we should address the real problem first, instead of occupying our time dredging through a never ending source of code. The real problem is the shared `/tmp'. In my private e-mails, I suggested a (hack) solution, but I've now decided against it. The correct solution, IMHO, is what I offhandedly referred to in one message: rm -rf /tmp and make the scratch area be private in each accounts home directory (though some of the shared homes, and roots home being `/' are problematic). Then we can go through and fix all the apps once and for all. Anyhow, off subject... dls [ who will now undoubtably now receive a ton of junk mail for his troubles ] -- Douglas Lee Schales
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:54 PDT