On Thu, 16 Jul 1998, Olaf Kirch wrote:
> There are some things I do not understand about this patch.
>
> 1. The code does not redirect /tmp access of processes running
> with a real, effective, or fs uid of root.
>
> So it doesn't buy you anything when it comes to /tmp attacks
> on setuid root programs.
No. You have to make /tmp chmod 755, only root-writable, so there's no
risk. Please read README carefully ;-)
> 2. The code does not keep normal users from messing around in
> the real /tmp directory. Use ///tmp, or chdir("/") and
> use "tmp", or unset both HOME and TMPDIR, or symlink your
> $HOME/tmp to /tmp, etc.
Yes. It redirects only typical requests. It won't protect /tmp itself, as
I wrote - you have to do 'chmod 755 /tmp'. Without this patch, your
programs won't work after above chmod. With patch, they will. It has been
mentioned in README, again.
> 3. Some setuid programs do open temporary files in /tmp for
> a reason; they do not expect them to be created in /etc.
> They also do not expect that the user invoking the program
> can flip to a different directory underneath of it. An
> interesting attack (having redtmp loaded) would go like
> this:
Setuid programs are NOT redirected to $HOME/tmp. If you want to force
setgid redirection too, simply modify code, but I can't see serious reason
to do it (any real-life examples, not 'hypotetical' examples - I can talk
about 'hypotetical' setuid program executing rm -rf / if only it detects
redtmp installed, but... ;-).
_______________________________________________________________________
Michal Zalewski [lcamtufat_private] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:18 PDT