Bugtraq: Re: Linux and world-writable /tmp - workaround

[luyer () UCS UWA EDU AU (David Luyer)]

> Module tries to redirect requests to directory pointed by TMPDIR variable.
> If it isn't set, HOME + '/tmp' is used.
>
> NOTES:
>
> - Only requests to '/tmp', and only from unprivledged processes
>   are redirected (and that's the goal). Root and suid programs
>   are able to access /tmp directory as-is - there's no reason
>   to redirect it, because directory is still root-writable.
So...root runs;

UPDBTMP=`run-update-db-find-as-nobody-return-output-filename`
do-stuff-with-returned-filename-UPDBTMP

or

TMP=careful-secure-make-tmp-file
su nobody -c "run-updatedb $TMP"

and this is broken, since root's request to /tmp is not mutilated but
nobody's request is mutilated, in fact to root's $HOME/tmp which is
not writable by 'nobody' in the first place if it even exists.

If temp directory is chosen by the environment, SUID (SUID someone other than
root) programs try to write somewhere they may not have access.

If temp directory is chosen by current user id values, temp files cannot
be passed easily by filename between routines running under different
user id's.

If a special case is made for root, you get the second problem with the
environment variable problem too.

The fix for /tmp is not to remap it but to remove it.  Fix the programs.
Set a TMPDIR in login scripts and/or use a default of not $HOME/tmp but
$HOME when it is not set as this is then an error condition.

David.