$TMPDIR (was Re: Security: Mutt and mailcap rules)

Vincent Lefevre vincent at vinc17.org
Wed Jun 26 14:26:44 UTC 2019


On 2019-06-25 14:26:16 -0500, Derek Martin wrote:
> On Tue, Jun 25, 2019 at 09:11:22PM +0200, Vincent Lefevre wrote:
> > On 2019-06-24 17:18:27 -0500, Derek Martin wrote:
> > > Mutt honors $TMPDIR. You should set it.  You should probably not use
> > > /tmp, especially on a multi-user system, especially if you care about
> > > security (privacy to be more precise, but that's part of security).
> > > You should probably also not put it on NFS.
> > 
> > On the multi-user machines I use, my home is under NFS. So, there
> > isn't much choice. The other directories I can use are just like
> > /tmp.
> 
> BUT... you still can do better than just using /tmp.  You can create,
> say, /tmp/vincent, with 700 perms, which effectively solves most of the
> problem.  Then set TMPDIR to that. :)

Mutt should do the creation of the intermediate directory for me.

> In some cases it might get cleaned up, but you can just have your
> .profile (or whatever) recreate it when you log in... FWIW this is
> probably what I would do in that case.

But if the directory has already been created by someone else,
this is not OK. The solution must be compatible with Mutt's
$tmpdir variable (which will not affect other applications,
contrary to $TMPDIR).

> You could still use your home directory too... most of the trouble is
> that you have to trust your sysadmins.

If there's a security issue there, then there's nothing one can do:
my account could be hacked and everything could be read. The problem
is more the reliability of NFS. So temporary files are better put
somewhere else.

> The other reason to avoid using /tmp (or another world-writable
> directory) is avoiding things like symlink attacks, and similar
> classes of things.

At least symlink attacks are now protected by the kernel (and BTW, a
bug in some Debian package related to a symlink attack is no longer
regarded as a security bug by Debian, no longer RC).

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


More information about the Mutt-dev mailing list