RE: Issues with /tmp/mc-$USER directory
- From: BARTHAZI Andras <andras barthazi hu>
- To: "'Pavel Roskin'" <proski gnu org>, "'Koblinger Egmont'" <egmont uhulinux hu>
- Cc: <mc-devel gnome org>
- Subject: RE: Issues with /tmp/mc-$USER directory
- Date: Thu, 26 Dec 2002 07:43:24 +0100
Hi!
I am not really a security expert, so just my opinion. :)
> 1) Check that /tmp/mc-$USER is ours. I think if I do stat()
> and it says that I'm the owner, no adversary will be able to
> replace the directory. If /tmp/mc-$USER is ours, set proper
> permissions (700) on it if necessary and use it. Note that
> the files inside that directory still have random names.
>
> 2) If that fails, warn the user and create a directory under
> /tmp with a random name e.g. /tmp/mc-$USER-$RANDOM. If that
> works, schedule the directory for removal using g_atexit
> (portable atexit from glib) and use the directory.
Why don't you skip the first step, and just do the second? :) Easier to
implement just one version, less code -> less bugs and "more safe" (?).
Just another question: what happens, if there's no /tmp directory (I
don't know OS like this)? I mean if the distribution uses for example
the name /temp. I don't know it mc has to care about it.
Bye,
Andras
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]