Home page logo

bugtraq logo Bugtraq mailing list archives

Re: StarOffice 5.2 Temporary Dir Vulnerability
From: Peter W <peterw () USA NET>
Date: Wed, 8 Nov 2000 19:07:41 -0500

Christian wrote:

A while back I noticed that StarOffice 5.2 (running under Linux and
Solaris) creates a temporary directory under /tmp with the name
"soffice.tmp" with permissions 0777.

Ah, our old friend /tmp. WordPerfect and VMWare had similar problems...

My suggested workaround is to create a symbolic link from
/tmp/soffice.tmp to a directory inside the your home directory which
is inaccessible to anyone but yourself. Doing this before running
StarOffice would seem to protect against the vulnerability and this
could be written into a simple shell script wrapper.

...and similar solutions. A better workaround is to set the environment
variable TMP to a safe alternative before running StarOffice. If you do
this, StarOffice will create the mode 0777 dir inside $TMP. I don't know if
this is documented, but it works (tested with StarOffice 5.2 for Linux),
and that's what matters. ;-)

Below is a shell script Red Hat Linux users can put in /etc/profile.d (be
sure to make it at least 0555, and use a .sh extension) to take care of
this, and similar, temp dir issues for users of sh/Bash shells, starting
the next time each user logs in. Others, source this from your .profile or
whatever, so your temp dir vars are properly set when you log in.

Or put it in a wrapper script, but I think history has shown that it's a
good idea to set these variables so that other applications might behave
more safely, too. Search the Bugtraq archive for TMPDIR for more cases.

IIRC, some (many? most?) other Linux distros support /etc/profile.d scripts
for sh/Bash, but YMMV.

Note that while WordPerfect 8 and VMWare respect $TMPDIR, StarOffice uses
$TMP. So my script now sets both variables, Just In Case.

Christian, thanks for the catch.

other stuff at http://www.tux.org/~peterw/

# bastille-tmpdir.sh
# This script sets TMP/TMPDIR environment variables for some added
# safety on multi-user systems. Many applications write temporary
# files in unsafe ways to /tmp unless TMP and/or TMPDIR are set.
if [ -z "${TMPDIR}" ]; then
        # TMPDIR is not set
        if [ "${TMPDIR}" = /tmp ]; then
                # This user's home dir is "/"? SysV-root?
        if [ ! -d "${TMPDIR}" ]; then
                # We need to create the directory, with sane permisssions
                mkdir -m 0700 "${TMPDIR}" 2>/dev/null && export TMPDIR \
                        TMP="${TMPDIR}" export TMP \
                        || echo "Warning: unable to create safe TMPDIR"
                export TMP
                export TMPDIR

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]