Roland Mainz <roland.mainz at nrubsig.org> wrote:
> I doubt the RBAC role will fail because the role application can write
> to /tmp/$LOGNAME unless the user him-/herself changes the mode to
> something different than 1777.
>
> > I've been staying out of this particular issue until now, as I could
> > see both sides of it. But it looks now like the weight of evidence is
> > against the proposal: not just RBAC damage, but also unnecessary
> > *extra* clutter in /tmp (due to the one-per-user directories,
>
> Which extra "clutter" ? Right now a plain desktop user always creates
> multiple files in /tmp, for example:
> -- snip --
> $ ls -l /tmp | fgrep fosdem
> drwx------ 2 gfosdem gfosdem 48 2006-02-25 10:15 gconfd-gfosdem
> drwx------ 2 gfosdem gfosdem 120 2006-03-02 20:30 kde-gfosdem
If the mode of the directory is different to 1777, this is a potential
problem for many application, even suid applications that are run by the
owner of $TMPDIR
J?rg
--
EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin
js at cs.tu-berlin.de (uni)
schilling at fokus.fraunhofer.de (work) Blog:
http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
