The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Insecure /tmp file usage

To: debian-private@lists.debian.org
Subject: Re: Insecure /tmp file usage
From: Christoph Lameter <chris@waterf.org>
Date: Sat, 6 Dec 1997 15:50:03 -0800 (PST)
Cc: security@debian.org, debian-private@lists.debian.org
Delivered-to: security@debian.org
In-reply-to: <971206231840.9277A-100000@liquid.tpb.net>
Resent-cc: recipient list not shown: ;
Resent-date: 6 Dec 1997 23:43:35 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"ZVoka.A.jCD.nMei0"@debian>
Resent-sender: debian-private-request@lists.debian.org

There is a kernel-patch for 2.0.32 that makes the symlinks exploits
impossible. Its contained in the linux mama patches. Maybe that patch will
allow us to use the /tmp directory for temporary storage again?

On Sat, 6 Dec 1997, Niels wrote:

> Package: premail
> Version: 0.45-3
> 
> from the documentation:
> 
> Secrets
> 
>      To create signatures, decrypt messages, or use nyms, you need to
>      set up a "premail secrets" file. If you will only be using premail
>      to encrypt outgoing mail, you can skip this section.
> 
>      The default filename is /tmp/.premail-secrets.$< , where $< is
>      equal to your numeric user id. To change the filename, use a
>      preferences line such as this one:
> 
>    $config{'premail-secrets'} = '/mnt/cryptdisk/premail-secrets';
> 
>      If you don't know your numeric user id, you can find it by running
>      "echo $uid" (from csh or tcsh), "echo $UID" (from sh or bash), or:
> 
>    perl -e 'print "$<\n"'
> 
> (this is dumb - 'id' is the command to use. --N)
> 
>      The premail secrets file has this format:
> 
>    $pgppass{'user'} = 'PGP passphrase for user';
>    $pgppass{'alternate'} = 'PGP passphrase for alternate';
>    $penetpass = 'Passphrase for anon.penet.fi';
> 
>      However, make sure your premail secrets file has restrictive
>      permissions, so other people on your system can't read your
>      passphrases! This command is well recommended (substituting your
>      actual user id, of course):
> 
>    chmod 600 /tmp/.premail-secrets.7437
> [..]
> 
> Looking through the source I see some open(TMP, ">$file")-like statements
> with absolutely no checks whether the file exists around it...
> 
> 
> 	-- Niels.
> 
> 
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-private-request@lists.debian.org . 
> Trouble?  e-mail to templin@bucknell.edu .
> 
> 


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

References:
- Insecure /tmp file usage
  - From: Niels <niels@atdot.xs4all.nl>

Prev by Date: Re: Code freeze
Next by Date: Should I make a `gv-2.5.8' for bo-updates?
Previous by thread: Insecure /tmp file usage
Next by thread: Should I make a `gv-2.5.8' for bo-updates?
Index(es):
- Date
- Thread