On Thu, 16 Jul 1998, Olaf Kirch wrote: > There are some things I do not understand about this patch. > > 1. The code does not redirect /tmp access of processes running > with a real, effective, or fs uid of root. > > So it doesn't buy you anything when it comes to /tmp attacks > on setuid root programs. No. You have to make /tmp chmod 755, only root-writable, so there's no risk. Please read README carefully ;-) > 2. The code does not keep normal users from messing around in > the real /tmp directory. Use ///tmp, or chdir("/") and > use "tmp", or unset both HOME and TMPDIR, or symlink your > $HOME/tmp to /tmp, etc. Yes. It redirects only typical requests. It won't protect /tmp itself, as I wrote - you have to do 'chmod 755 /tmp'. Without this patch, your programs won't work after above chmod. With patch, they will. It has been mentioned in README, again. > 3. Some setuid programs do open temporary files in /tmp for > a reason; they do not expect them to be created in /etc. > They also do not expect that the user invoking the program > can flip to a different directory underneath of it. An > interesting attack (having redtmp loaded) would go like > this: Setuid programs are NOT redirected to $HOME/tmp. If you want to force setgid redirection too, simply modify code, but I can't see serious reason to do it (any real-life examples, not 'hypotetical' examples - I can talk about 'hypotetical' setuid program executing rm -rf / if only it detects redtmp installed, but... ;-). _______________________________________________________________________ Michal Zalewski [lcamtufat_private] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:18 PDT