DOH! DOH! DOH! I meant to add a note about randomizing the tempfile names but forgot to add it in the bugtraq email. I apologize for being lame. However, I still think that avoiding world writable temporary directories in the first place is your best bet. Trying to randomize your tempfile names alone is almost (now, before hundreds of people start attacking my philosophy, i said, *almost*) practising security through obscurity! I'm not saying that this extra step should not be taken, but relying upon PRNGs alone doesn't solve the problem, just makes it a bit harder. Afterall, PRNGs utilize deterministic algorithms which simulate randomness. As some people like to put it: due to the finite state space of the program implementing the PRNG, its output will eventually return to its original value. We could argue from now till kingdom come on what is an acceptable period. - John
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:48 PDT