> Module tries to redirect requests to directory pointed by TMPDIR variable. > If it isn't set, HOME + '/tmp' is used. > > NOTES: > > - Only requests to '/tmp', and only from unprivledged processes > are redirected (and that's the goal). Root and suid programs > are able to access /tmp directory as-is - there's no reason > to redirect it, because directory is still root-writable. So...root runs; UPDBTMP=`run-update-db-find-as-nobody-return-output-filename` do-stuff-with-returned-filename-UPDBTMP or TMP=careful-secure-make-tmp-file su nobody -c "run-updatedb $TMP" and this is broken, since root's request to /tmp is not mutilated but nobody's request is mutilated, in fact to root's $HOME/tmp which is not writable by 'nobody' in the first place if it even exists. If temp directory is chosen by the environment, SUID (SUID someone other than root) programs try to write somewhere they may not have access. If temp directory is chosen by current user id values, temp files cannot be passed easily by filename between routines running under different user id's. If a special case is made for root, you get the second problem with the environment variable problem too. The fix for /tmp is not to remap it but to remove it. Fix the programs. Set a TMPDIR in login scripts and/or use a default of not $HOME/tmp but $HOME when it is not set as this is then an error condition. David.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:40 PDT