[GLLUG] Sharing /tmp Among Distros
Ben Pfaff
blp at cs.stanford.edu
Thu Jun 12 17:10:36 EDT 2003
"Melson, Paul" <PMelson at sequoianet.com> writes:
> Because /tmp is often chmod 1777 or 777, there are security risks
> associated with having a script (especially an init script, which would
> typically run as root) delete content from /tmp. For example, a
> malicious user could create a link from some place in /tmp to
> /etc/passwd which could then be unlinked by the init script at boot.
Unlinking a symlink deletes the symlink, not the file it points
to. (Otherwise, how would you delete a symlink? Extra mechanism
would be necessary.) So just adding a symlink, say /tmp/foo ->
/etc/passwd, is harmless. Problems do exist, though. Here's an
example. Suppose that a file /tmp/dir/passwd exists. The tmp
cleaner comes by and sees it. At that point, a malicious process
deletes /tmp/dir/passwd and /tmp/dir and adds a symlink /tmp/dir
-> /etc. Then the tmp cleaner calls unlink("/tmp/dir/passwd")
which the kernel expands to unlink("/etc/passwd"), and boom!
This kind of attack only works if user processes can modify /tmp.
It's perfectly safe to clean /tmp on boot in the obvious way
before any user processes are allowed to start. It also only
works if the tmp cleaner is written foolishly. Here's an article
on how to do it properly. Though I haven't examined the author's
code he appears to have the right idea:
http://gazette.euskal-linux.org/issue18/tmp.html
--
<blp at cs.stanford.edu> <pfaffben at msu.edu> <pfaffben at debian.org> <blp at gnu.org>
Stanford Ph.D. Candidate - MSU Alumnus - Debian Maintainer - GNU Developer
www.benpfaff.org
More information about the linux-user
mailing list