LISTSERV mailing list manager LISTSERV 16.0

Help for LINUX-L Archives


LINUX-L Archives

LINUX-L Archives


LINUX-L@LISTS.UFL.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

LINUX-L Home

LINUX-L Home

LINUX-L  2007

LINUX-L 2007

Subject:

Re: protecting /tmp

From:

John Li <[log in to unmask]>

Reply-To:

Platform Independent Linux List! <[log in to unmask]>

Date:

Mon, 1 Jan 2007 13:17:09 -0500

Content-Type:

multipart/signed

Parts/Attachments:

Parts/Attachments

text/plain (43 lines) , signature.asc (43 lines)

On Mon, Jan 01, 2007 at 09:39:14AM -0800, Jeff Lasman wrote:
> Happy New Year!
> 
> On a forum I read someone has suggested chmodding everything in /tmp as 
> 0000 to protect from hackers.
> 
> In my understanding, then no one (not even the owner) can read the 
> files.
> 
> Can this possibly work without breaking a lot of services and programs 
> that use /tmp?

Heh, April's still 3 months away!

/tmp can be used for malicious purposes because any user can create
files in it. For example, a punk^Wcurious student could write a script
named "su" which takes your input and then emails it to some server in
Nigeria. If you happen to have "." in your $PATH, *and* you happen to
be in /tmp/ when you try to run su, then you're in trouble.

Note that although /tmp has "liberal" permissions set (read, write,
execute for all users), it also has the sticky bit set, so a user can
only modify files in /tmp if they belong to him. A 777 directory is
pretty much open to anything otherwise (any user can read/modify/delete
any other user's files).

Executive Summary: Don't do it! You'll anger your computer!


Happy New Year!
-Nile

PS: Keep the local directory out of your $PATH. If you're really too
lazy to type "./executable", then at least make sure it's at the very
*end* of your path.

-- 
 .''`. | This Sig Kills Fascists!
: :' : |  http://deadbox.ath.cx
`. `'
  `-

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997

ATOM RSS1 RSS2



LISTS.UFL.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager