Re: temp files for security/logcheck

From: Dan Langille (dan@langille.org)
Date: 03/11/01 

From: "Dan Langille" <dan@langille.org>
To: Pete Fritchman <petef@databits.net>
Date: Sun, 11 Mar 2001 17:47:58 +1300

AFAIK, the files disappear each time the script is run:

umask 077
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$
$TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f
$TMPDIR/checkreport.$$ ]; then
        echo "Log files exist in $TMPDIR directory that cannot be
removed. This
may be an attempt to spoof the log checker." \
        | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!"
$SYSADMIN
        exit 1
fi

On 10 Mar 2001, at 23:45, Pete Fritchman wrote:

> It seems logical that the port should just use ${TMPDIR}/.logcheck/ or
> something of that nature. Does it need to be there permenately? Or can
> it just be created/deleted when the program is started/stopped? I saw
> the thread on -ports earlier but didn't get a chance to respond.
>
> -pete
>
> ++ 11/03/01 17:35 +1300 - Dan Langille:
> >The port security/logcheck creates /usr/local/etc/tmp[1] and chmod's it
> >to 700. It does that because the temp files it creates and uses need to
> >be relativly secure. It writes out several files that could cause problems
> >if a user made links, etc.
> >
> >Does anyone see any issues which we need to deal with? e.g. the
> >security of this directory, the name of this directory...
> >
> >[1] - Prior to a recent port change, it used /usr/local/etc/tmp
> >
> >--
> >Dan Langille
> >pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php
> >got any work? I'm looking for some.
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
> --
> Pete Fritchman <petef@databits.net>
> Databits Network Services, Inc. <http://databits.net>
> finger petef@databits.net for PGP key
>
> 

-- 
Dan Langille
pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php
got any work?  I'm looking for some.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Blocking attacks from spoofed IP addresses
    ... see that they map to the same IP, and it logs failures (which I ... to spoof a TCP connection, ... If you must ban, block the address for a short ... Finding some PHP script on the net, ...
    (comp.os.linux.networking)
  • Re: temp files for security/logcheck
    ... the files disappear each time the script is run: ... that's an insecure way to create files in $TMPDIR (which is ... The script and the directory are ... mode 0700 -- this makes it difficult for it to be insecure. ...
    (FreeBSD-Security)
  • Re: [PHP] Re: Question about __destruct()
    ... Thus AFAIK a deconstructor will always be called at the end of script ... but you have no control over what order dtors are called and you can't ...
    (php.general)
  • Re: Database Projects - sql code
    ... but AFAIK you can't use the full set of Visual Database tools such ... as generating create script with MSDE, ...
    (microsoft.public.vsnet.general)
  • Re: Object doesnt support this property or method
    ... It's an error in the script for that web page. ... web page you can't do anything to solve it, AFAIK. ... > doesn't support this property or method" and gives a line number. ... > It's driving me mad, ...
    (microsoft.public.windowsxp.newusers)