---

Security Portal: Creating software packages for Linux – do’s and don’ts.

“Linux has been growing in popularity, and with that has come an
increase in third party software available for Linux.
Unfortunately it seems that Linux software vendors are intent
on making the same mistakes made by other third party software
vendors for UNIX.
If you have ever read security advisories
for UNIX software you have probably noticed that the same
problems occur over and over again.
This article will catalog
some of the most common problems, ways to detect them (so you can
then bug your software vendor), and solutions to them. Additionally
I will list some of the more advanced techniques for ensuring
continued system integrity in the event of a failure of a software
package.”

World writeable files and directories
This is a really really bad idea. There is no reason to create a
new world writeable directory, if your software requires temporary
scratch files please use the tmp directory (more notes on this
later), and if you simply need to store user preferences, files and
so on, store them in the user’s home directory.”

Temporary (tmp) files
Most programs need to create temporary files, and this can be done
perfectly safely if a little care and attention is taken. The first
thing a program should do is honor the “TMP_DIR” environment
variable. This allows users to create a ~/tmp_dir directory (or
similar) which can be much more protected than the world accessible
/tmp directory. Also if you must create temp files give them truly
random names.”

Complete
Story