RE: Issues with /tmp/mc-$USER directory

From: BARTHAZI Andras <andras barthazi hu>
To: "'Pavel Roskin'" <proski gnu org>, "'Koblinger Egmont'" <egmont uhulinux hu>
Cc: <mc-devel gnome org>
Subject: RE: Issues with /tmp/mc-$USER directory
Date: Thu, 26 Dec 2002 07:43:24 +0100

Hi!

I am not really a security expert, so just my opinion. :)

> 1) Check that /tmp/mc-$USER is ours.  I think if I do stat() 
> and it says that I'm the owner, no adversary will be able to 
> replace the directory. If /tmp/mc-$USER is ours, set proper 
> permissions (700) on it if necessary and use it.  Note that 
> the files inside that directory still have random names.
> 
> 2) If that fails, warn the user and create a directory under 
> /tmp with a random name e.g. /tmp/mc-$USER-$RANDOM.  If that 
> works, schedule the directory for removal using g_atexit 
> (portable atexit from glib) and use the directory.

Why don't you skip the first step, and just do the second? :) Easier to
implement just one version, less code -> less bugs and "more safe" (?).

Just another question: what happens, if there's no /tmp directory (I
don't know OS like this)? I mean if the distribution uses for example
the name /temp. I don't know it mc has to care about it.

Bye,
  Andras

Follow-Ups:
- RE: Issues with /tmp/mc-$USER directory
  - From: Pavel Roskin

References:
- Re: Issues with /tmp/mc-$USER directory
  - From: Pavel Roskin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]