Re: /tmp event logger

Theo de Raadt (deraadt@CVS.OPENBSD.ORG)
Sun, 15 Mar 1998 11:06:30 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: bst@INAME.COM: "(no subject)"
Previous message: T. Freak: "More broadcast fun"
Maybe in reply to: Michal Zalewski: "/tmp event logger"

> Due to excessive amount of /tmp races reported last months, here's
> /tmp event logger. This simple and small program logs file activity
> in given directory, giving clear, reusable, space-saving format
> (including operation, filename, uid/gid, file type, permissions,
> current time). It's very useful when you're looking for possible
> vunerabilities, or trying to trace attacks.

Many of you have source to the operating systems and tools you run.

I like to make a strong recommendation for source-level audits as the
best way to find these problems. And while you are there you can fix
them too, and then tell the maintainers of the packages; not just

For instance, all programs compiled with GNU f77 have 2 mktemp races.
It's in the source. I just contacted the maintainer of the package;
he didn't appear to have any idea what a /tmp race is. This is going
to be extremely common. So those who care about this issue should
start auditing code, and then telling the authors of these systems
that such problems are unacceptable. Try to give them patches. Push
hard to get these things fixed.

Next message: bst@INAME.COM: "(no subject)"
Previous message: T. Freak: "More broadcast fun"
Maybe in reply to: Michal Zalewski: "/tmp event logger"