On 4/27/07, Casper.Dik at sun.com <Casper.Dik at sun.com> wrote: > > >On Thu, Apr 26, 2007 at 02:26:49PM -0700, John Plocher wrote: > >> > ...making things easier for users... > >> > >> Why should the user care about this? By definition, things in TMPDIR > >> are ephemeral and don't usually get noticed by users - unless the > >> system is h0rked and there is no space left there. > >> > >> Since most users don't touch TMPDIR today, and in a well functioning > >> system the existing default should "just work", I'm not sure what the > >> problem really is... > > > >I think you could argue that private TMPDIRs are more secure -- no > >chance of following a malicious symlink placed in a 1777 tmpdir if your > >tmpdir isn't 1777. But otherwise it doesn't seem friendlier that > >TMPDIR=/tmp. One problem: TMPDIR should probably be mkdtemp'ed, else > >there's a DoS (nico% mkdir /tmp/plocher; chmod 700 /tmp/plocher; echo > >muahahaha), but if mkdtemped then how to make sure that multiple login > >sessions for the same user share the same TMPDIR? (Search for one?) > > > Unfortunately the use of TMPDIR is inherited across "su" and > then, when users assume roles, TMPDIR no longer works. > > I would think this is too risky to change.
If that's true then the TMPDIR functionality needs to be removed from libc and all applications because it is insecure by default. Irek
