[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Symlink vulnerabilities
- To: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Symlink vulnerabilities
- From: dave bl <db.pub.mail@xxxxxxxxx>
- Date: Sat, 22 Oct 2011 16:29:45 +1100
On 22 October 2011 15:39, Michal Zalewski <lcamtuf@xxxxxxxxxxx> wrote:
>> In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races,
>> what you should be doing is using pam_namespace or similar so each user gets
>> their own /tmp namespace.
>
> That would result in counterintuitive behavior, I suppose... /tmp is a
> fairly stupid and largely unnecessary artifact of the old.
>
> If you are in charge of a distro, it would not hurt to nuke it
> altogether and change all packages in your control to use per-user
> $TMPDIR. Some third-party stuff will break - but it breaks every now
> and then anyway.
Actually in Ubuntu YAMA(Yama Linux Security Module)[0] should block
/tmp symlink attacks.
According to [1] "In Ubuntu 10.10 and later, symlinks in
world-writable sticky directories (e.g. /tmp) cannot be followed if
the follower and directory owner do not match the symlink owner. The
behavior is controllable through the
/proc/sys/kernel/yama/protected_sticky_symlinks sysctl, available via
Yama. "
[0]
http://zinc.canonical.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/yama
[1] https://wiki.ubuntu.com/Security/Features
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/