lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201110221136.26852.raju@linux-delhi.org>
Date: Sat, 22 Oct 2011 11:36:26 +0530
From: "Raj Mathur (राज माथुर)" <raju@...ux-delhi.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities

On Saturday 22 Oct 2011, Valdis.Kletnieks@...edu wrote:
> > If you had your way, would you see it implemented as /tmp/<USER>
> > /<USER>/tmp, or some other way?
> 
> It should be site-configurable - some places may have a large fast
> /tmp area and they want a per-user directory on that disk space. 
> Other places may want to have /tmp redirected to /home/${USER}/tmp
> so disk quotas apply, etc etc.

There's also the issue of mounting /tmp noexec and nosuid on a separate 
filesystem that many people choose.  Location of per-user tmp filesystem 
would also be impacted by that.

At first sight, the best option from that point of view seems to be a 
per-user tmp under /tmp/$USER/ and mount /tmp noexec, nosuid.  If you 
choose the ~$USER/tmp option, you'll probably have to do some userfs 
jugglery to achieve the same objective.

Regards,

-- Raj
-- 
Raj Mathur                raju@...dalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance & Chill: http://schizoid.in/   ||   It is the mind that moves


----------------------------------------------------------------
"This e-mail message may contain confidential, proprietary or legally
privileged information. It should not be used by anyone who is not
the original intended recipient. If you have erroneously received this
message, please delete it immediately and notify the sender. Any use
or disclosure of the contents is unauthorised and may be unlawful. All
liability for viruses is excluded to the fullest extent permitted
by law. The recipient acknowledges that NetAmbit or its subsidiaries
and associated companies, (collectively "NetAmbit Group"), are unable
to exercise control or ensure or guarantee the integrity of/over the
contents of the information contained in e-mail transmissions and further
acknowledges that any views expressed in this message are those of the
individual sender and no binding nature of the message shall be implied
or assumed unless the sender does so expressly with due authority of
NetAmbit Group.."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ