From: Holger.VanKoll@SWISSCOM.COM
Date: Thu Aug 29 2002 - 05:39:55 EDT
One could put scripts that need root-privileges to run in a dir not
readable by users.
Also, a /roottmp or whatever, could be considered, based on your
security needs.
> it would be
> relatively simple for any person with malicious intent to
> find out exactly what to call the links.
If you append $$, its hard. AIX was written with c2 security in mind,
and you cannot easily guess the next pid.
> One easy way around it would be to remove the file before
> trying to write to it.
An improvent. Still there is a race-condition.
If you remove, say, 2 files, you do io and its possible that your
process gets stopped there (between removing first/second file).
Then a user-process could get cpu and re-do the link on the file you
just removed.
If you dont append $$ to the filename, there is a known filename (he
could know from earlier runs of the script) and this race-condition is
not so unprobable.
If you append $$, it seems safer, but if the user created file0 -
file$$-max, he just has to check what has been deleted and recreate the
link. Probably that takes too much cpu/io and your script/task will be
rescheduled before.
On a system with high security needs, root must not use anything
world-writeable, including /tmp.
At least create /tmp/root 700, the sticky bit on /tmp should prevent a
user from deleting it.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:10 EDT