Re: Stripping trailing blanks?

Mon, 28 Jul 2003 11:03:58 -0700 

You may be interested to know that there is currently a debate on exactly
this subject raging on the Debian Developer list.  It does however seem to
have come to a conclusion after a week or so.

David




                    "McKown, John"
                    <[EMAIL PROTECTED]        To:     [EMAIL PROTECTED]
                    sctr.com>              cc:
                    Sent by: Linux         Subject:     Re: Stripping trailing blanks?
                    on 390 Port
                    <[EMAIL PROTECTED]
                    ARIST.EDU>


                    28/07/2003
                    18:47
                    Please respond
                    to Linux on 390
                    Port






> -----Original Message-----
> From: Guillaume Morin [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2003 12:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Stripping trailing blanks?
>
>

<snip>

>
> The problem is actually the predictible file name in a world-writable
> directory. An attacker could create a symlink  with the name
> "strip.pid"
> (a pid is actually pretty easy to predict, and you can always
> create as
> much symlinks as you want) pointing to one of your files and when
> launching the command you would overwrite the file. It is really a
> disaster if root runs this command.
>
> Guillaume

Understand increases, thanks. I guess it would be "better" if, somehow,
/tmp
could refer to a different filesystem or directory for each individual
user.
UNIX on OS/390 does have something like this. A different kind of symlink
which is dependant on the userid.  Or perhaps, setup /tmp/$USER for every
valid use and don't have /tmp be world-writable. I wonder why Linux doesn't
do that? It should be easy to change the scripts that use /tmp to use
/tmp/$USER and to change the useradd program to create /tmp/$USER when it
creates /home/$USER and make it have the correct permissions. Or even
create
/home/$USER/tmp and symlink it to /tmp/$USER. Just some weird thoughts from
a "legacy" sysprog. I may well be all wet.


--
John McKown
Senior Systems Programmer
UICI Insurance Center
Applications & Solutions Team
+1.817.255.3225

This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and its' content is
protected by law.  If you are not the intended recipient, you should delete
this message and are hereby notified that any disclosure, copying, or
distribution of this transmission, or taking any action based on it, is
strictly prohibited.

Reply via email to