> On Mon, Apr 20, 1998 at 11:47:20PM -0700, Guy Maor wrote: >> Modifying libc to catch common security goals is a laudable goal, but >> such a libc should go to experimental.
This may be a stupid question, but *what* /tmp exploit are we trying to fix? I ask solely because /tmp should already have some special attributes set. Is this exploit something which is already solved by existing permission flags? Is it something that could be solved by a new permission flag? How about this is as second proposal: modify libc, ext2fs and chattr to support a new extended attribute: chattr +X This flag is only meaningful for directories. (The same bit could be used for other purposes for files; perhaps we could reuse an existing bit?) If this is set, its immediate children will force O_EXCL if O_CREAT is set. This is slightly different from the first proposal, since "broken" code would still work *unless* an entry with the same name already existed. Since you aren't using a string comparison all of the problems associated with it disappear. You could even walk the tree and set this bit on *every* directory. Since it's controlled by a standard mechanism, it's easy to write wrapper functions, when necessary, for suitably privileged users. Finally, since there is a workaround (chattr(); broken(); chattr();) we can reasonably define this bit to apply to *all* users, including root. If you don't want it at all, don't set the bit. If you do want it but have broken applications, use wrappers. Bear Giles [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]