[request-sponsor] Requesting sponsor for CR# 6488593("/etc/profileshould set TMPDIR to /tmp/$LOGNAME/") ...
Bart Smaalders wrote:
> Darren J Moffat wrote:
> > Roland Mainz wrote:
> >> Requesting sponsor for CR# 6488593 ("/etc/profile should set TMPDIR to
> >> /tmp/$LOGNAME/") - patch is included in the RFE...
> >
> > This will I believe need an ARC case since it is a change in default
> > behaviour. It also should be done for all shells not just ones
> > that read /etc/profile.
> >
> > Since I do this myself in my own .profile I feel duty bound to stand up
> > to the plate and by your sponsor for this. So sign me up for putback
> > sponsor and I'll be ARC case submitter too.
> >
>
> Good idea (I use this myself :-)). Should the directory be created
> 700 by default?
Definately "no". The idea is to improve "usuabilty" and not "security".
AFAIK the best mode is "rwx" for "ugo" and then +t, e.g. the same mode
used by default for /tmp itself (otherwise "funny" things with
setuid/setgid/role scripts may happen which may not expect this kind of
change). Anyone who wants to "tighten" the mode of the /tmp/${LOGNAME}/
directory should do this in ~/.profile ...
Bye,
Roland
P.S.: Setting Reply-To: to shell-discuss at opensolaris.org
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
[request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
Casper.Dik at sun.com wrote:
> >Darren J Moffat wrote:
> >> Roland Mainz wrote:
> >>> Requesting sponsor for CR# 6488593 ("/etc/profile should set TMPDIR to
> >>> /tmp/$LOGNAME/") - patch is included in the RFE...
> >>
> >> This will I believe need an ARC case since it is a change in default
> >> behaviour. It also should be done for all shells not just ones
> >> that read /etc/profile.
> >>
> >> Since I do this myself in my own .profile I feel duty bound to stand up
> >> to the plate and by your sponsor for this. So sign me up for putback
> >> sponsor and I'll be ARC case submitter too.
> >>
> >
> >Good idea (I use this myself :-)). Should the directory be created
> >700 by default?
>
> There's a risk in setting $TMPDIR and making it mode 700; the risk
> is that programs started under a different uid may start to fail.
>
> But it should either by mode 1777 (to mitigate that risk) or 700
> for privacy.
Default should be the same mode as /tmp - the idea is that users do not
have to dig through zillon files to find "their" temp. files on a large
multiuser machine.
Quick check on our "grendel" (which wasn't "updated" with our custom
/etc/profile mods after last months update to Solaris 10):
$ ls -l /tmp | wc -l
6187
Fun... ;-(
Bye,
Roland
P.S.: Setting Reply-To: to shell-discuss at opensolaris.org
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
[request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
Darren J Moffat wrote: > Casper.Dik at Sun.COM wrote: > >>> Since I do this myself in my own .profile I feel duty bound to stand up > >>> to the plate and by your sponsor for this. So sign me up for putback > >>> sponsor and I'll be ARC case submitter too. > >>> > >> Good idea (I use this myself :-)). Should the directory be created > >> 700 by default? > > > > There's a risk in setting $TMPDIR and making it mode 700; the risk > > is that programs started under a different uid may start to fail. > > pkgadd is one of those programs. > > > But it should either by mode 1777 (to mitigate that risk) or 700 > > for privacy. > > Or honour the umask ? Please "no" (default should be identical to the default mode of "/tmp"). Users who wish to do that can simply use "chmod" in their ~/.profile (AFAIK there isn't an exploitable gap because users already own the dir on creation). bye, Roland P.S.: Reply-To: set to shell-discuss at opensolaris.org -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
pkgadd failure / was: Re: [request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
Dave Miner wrote: > Casper.Dik at Sun.COM wrote: > >> Darren J Moffat wrote: > >>> Roland Mainz wrote: [snip] > >> Good idea (I use this myself :-)). Should the directory be created > >> 700 by default? > > > > There's a risk in setting $TMPDIR and making it mode 700; the risk > > is that programs started under a different uid may start to fail. > > > > Yeah, you'll notice that if you try to su to root and run installers > that run pkgadd internally. I use this method, and the StarOffice 8 > installer failed quite mysteriously until I realized it was just an > instance of that problem and reset TMPDIR to something else. Is there any bug yet to add a simple check to "pkgadd" to catch this kind of mistake early ? Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
[request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
Casper.Dik at Sun.COM wrote: > > >Yeah, you'll notice that if you try to su to root and run installers > >that run pkgadd internally. I use this method, and the StarOffice 8 > >installer failed quite mysteriously until I realized it was just an > >instance of that problem and reset TMPDIR to something else. > > This, unfortunately, kills the whole idea in my mind. > (I vaguely remembered similar issues from the past) Why ? the whole idea is about "usuablity" and not "security" (see my other postings) ... Bye, Roland P.S.: Reply-To: set to shell-discuss at opensolaris.org -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
[shell-discuss] Re: [request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
>Casper.Dik at Sun.COM wrote: >> >> >Yeah, you'll notice that if you try to su to root and run installers >> >that run pkgadd internally. I use this method, and the StarOffice 8 >> >installer failed quite mysteriously until I realized it was just an >> >instance of that problem and reset TMPDIR to something else. >> >> This, unfortunately, kills the whole idea in my mind. >> (I vaguely remembered similar issues from the past) > >Why ? the whole idea is about "usuablity" and not "security" (see my >other postings) ... Ok, if the proposal is ammended to mode 1777 then that is good. Casper
[shell-discuss] Re: [request-sponsor] Requesting sponsor for CR#6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
Peter Tribble wrote: > I regard this as unsafe and undesirable *as a default*. It clutters up > /tmp with unnecessary directories, wastes memory and involves > extra code at login. I have no problem with administrators or > users doing it if they want, but I see no advantage to having it as > the default behaviour. I disagree. The flat layout in /tmp for all temporary files of all users is very very annoying for both admins and users. I doubt mode 1777 is "insecure" (yes, you can always craft a case where it goes wrong...). Remember this is about "usuability". Currently /tmp on large multiuser machine looks like a giant trashcan... > What is the mechanism for the community to comment on > these sorts of cases? Presumably it has to go for ARC review, > but how does one find out what cases exist, when they're up for > review, and how does one particpate in the review process? > (Particularly as a community member who might only be interested > in a small number of cases.) Uhm... there is arc-discuss at opensolaris.org for such discussions... and the related project lists (e.g. shell-discuss at opensolaris.org). > On 11/4/06, Roland Mainz wrote: > > > > Default should be the same mode as /tmp - the idea is that > > users do not > > have to dig through zillon files to find "their" temp. files > > on a large > > multiuser machine. > Why would users be manually groping through /tmp? To find their files... ? > > Quick check on our "grendel" (which wasn't "updated" with > > our custom > > /etc/profile mods after last months update to Solaris 10): > > $ ls -l /tmp | wc -l > >6187 > > Fun... ;-( > > Instead of which we will (presumably) have thousands of empty > directories > to sift through, one for each user who ever logged in. And the > associated > unnecessary memory use. What is the difference between tenthousand files created by various users ? IMO that argument is for /dev/null ... > (As an aside, how many directories can you create in /tmp?) The same number of files which can be there - the limit is AFAIK only the memory/swap, calculated based on some kernel tuneable... Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
[shell-discuss] Re: [request-sponsor] Requesting sponsor for CR#6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
>I disagree. The flat layout in /tmp for all temporary files of all users >is very very annoying for both admins and users. I doubt mode 1777 is >"insecure" (yes, you can always craft a case where it goes wrong...). Why? I hard ever look in /tmp. OTOH, GNOME already dumps 3 or four temporary directories plus one for StarOffice so that is a bit much already; organizing them is good. What guarantees that all temporary files are delivered there? Should this really be an administrative option? The code, I pressume, would look something like: if mkdir -p -m 1777 /tmp/$LOGNAME then if [ -w /tmp/$LOGNAME ] then TMPDIR=/tmp/$LOGNAME export TMPDIR fi fi But if we really want to prevent denial of service, then we need to do even more. Casper
[shell-discuss] Re: [request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
what did the mkdir code look like again? what will it do for user "foo" when /tmp/foo exists and is owned by user "bar"? will +t be part of the mode? -- Glenn Fowler -- AT&T Research, Florham Park NJ --
[shell-discuss] Re: [request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
"Peter Tribble" wrote: > I regard this as unsafe and undesirable *as a default*. It clutters up > /tmp with unnecessary directories, wastes memory and involves > extra code at login. I have no problem with administrators or > users doing it if they want, but I see no advantage to having it as > the default behaviour. I concur. J?rg -- EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin js at cs.tu-berlin.de(uni) schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
pkgadd failure / was: Re: [request-sponsor] Requesting sponsor for CR# 6488593("/etc/profile should set TMPDIR to /tmp/$LOGNAME/") ...
Roland Mainz wrote: > Dave Miner wrote: >> Casper.Dik at Sun.COM wrote: Darren J Moffat wrote: > Roland Mainz wrote: > [snip] Good idea (I use this myself :-)). Should the directory be created 700 by default? >>> There's a risk in setting $TMPDIR and making it mode 700; the risk >>> is that programs started under a different uid may start to fail. >>> >> Yeah, you'll notice that if you try to su to root and run installers >> that run pkgadd internally. I use this method, and the StarOffice 8 >> installer failed quite mysteriously until I realized it was just an >> instance of that problem and reset TMPDIR to something else. > > Is there any bug yet to add a simple check to "pkgadd" to catch this > kind of mistake early ? > I don't believe so, I hadn't had time to look into it yet. Dave
