dcsimg
Linux Today: Linux News On Internet Time.





Security Portal: Creating software packages for Linux - do's and don'ts.

Mar 01, 2000, 18:14 (0 Talkback[s])
(Other stories by Kurt Seifried)

"Linux has been growing in popularity, and with that has come an increase in third party software available for Linux. Unfortunately it seems that Linux software vendors are intent on making the same mistakes made by other third party software vendors for UNIX. If you have ever read security advisories for UNIX software you have probably noticed that the same problems occur over and over again. This article will catalog some of the most common problems, ways to detect them (so you can then bug your software vendor), and solutions to them. Additionally I will list some of the more advanced techniques for ensuring continued system integrity in the event of a failure of a software package."

"World writeable files and directories
This is a really really bad idea. There is no reason to create a new world writeable directory, if your software requires temporary scratch files please use the tmp directory (more notes on this later), and if you simply need to store user preferences, files and so on, store them in the user's home directory."

"Temporary (tmp) files
Most programs need to create temporary files, and this can be done perfectly safely if a little care and attention is taken. The first thing a program should do is honor the "TMP_DIR" environment variable. This allows users to create a ~/tmp_dir directory (or similar) which can be much more protected than the world accessible /tmp directory. Also if you must create temp files give them truly random names."

Complete Story

Related Stories: