Date: Mon, 19 Feb 2001 22:04:29 -0500 From: Peter W <peterw@USA.NET> Subject: Re: HeliSec: StarOffice symlink exploit To: BUGTRAQ@SECURITYFOCUS.COM On Sat, Feb 17, 2001 at 04:57:23PM +0100, JeT Li wrote: > One way to fix the problem is to create a directory inside your > home directory which is inaccessible to anyone but yourself (permissions 700), > called tmp. Then insert an entry in your login start-up file to set the $TMP > environment variable to $HOME/tmp, so it will direct StarOffice to use your > temporary directory, rather than the system /tmp. Something like this (in > bash): > > [wushu@JeT-Li]$ TMP=$HOME/tmp ; export TMP > (not permanent) > or modify the .bash_profile adding TMP=$HOME/tmp and including this > variable in the export. BTW, I have some fairly sophisticated TMPDIR/TMP scripts in the CVS repository for Bastille (http://sourceforge.net/projects/bastille-linux) that folks might find useful. The scripts allow you to put TMPDIR somewhere other than $HOME (say, local /tmp if $HOME is on NFS), to keep track of TMPDIRs on a host-by-host basis, to hide the number of files and last access time of $TMPDIR, etc. There's also an ancillary script designed to keep pruning tools like 'tmpwatch' (frequently found on Linux systems) from removing $TMPDIR while you're logged in, and to warn you via multiple channels if something is amiss with your temp dir. Look for bastille-tmpdir.sh, bastille-tmpdir.csh, and bastille-tmpdir-defense.sh (the anti-'tmpwatch' tool). bastille-tmpdir.* go in /etc/profile.d where many systems will run them at login time (via /etc/bashrc or /etc/csh.login scanning /etc/profile.d) bastille-tmpdir-defense.sh goes in /etc. All three should be mode 0755. These apps will be optional in the soon-to-be-release Bastille 1.2.0 hardening tool for Red Hat and Mandrake Linux distributions. I've only tested the scripts under Linux, but they should be fairly portable. Your feedback would be most appreciated. It's nice that apps let you pick your own preferred temp space ($HOME in some cases is a poor choice), but it's a shame that some apps *need* you to do so to behave safely. :-( -Peter