Walter Hofmann <[EMAIL PROTECTED]> wrote:
> Joerg Schilling schrieb am Mittwoch, den 20. Juni 2001:
> > If youremove the old file first, you may be close to 100% sure that
> > there is no such problem. Note that many UNIX programs create /tmp/ files
> > and some of them make it easy to know the names in advance.
>
> The chance that this happens by accident is, indeed, very small.
> I was thinking about an attacker who deliberately and repeatedly creates
> links from files /tmp.123 to /var/spool/mail/username and also creates
> some additional load to make the window large enough.
> This seems very feasible for an attacker.
As noted, if you want security you can create a subdirectory owned by
the effective user, permissions 0700, and put files in that. You can
create that in /tmp, and if the mkdir fails you stop there. If you want
to be paranoid, check statuses.
I admit, that if I really wanted to do this I would probably write it
in perl, because doing it "right" and portable is very time-consuming.
--
-bill davidsen ([EMAIL PROTECTED])
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
