Preventing Symlink Attacks...

1 msg	Re: [SECURITY] [DSA 1182-1] New gnutls11 packag...
1 msg	Ditt brukernavn og passord
1 msg	Re:(CTSakID: 223) [SECURITY] [DSA 1182-1] New g...
1 msg	! GET YOUR UNIVERSITY{} DIPLOMA
1 msg	the latest
1 msg	Fwd: Do you want a {}prosperous future?

Preventing Symlink Attacks...
\ Conall O'Brien (18 Sep 2006)
. \ Sam Morris (18 Sep 2006)

21 msg	email notifications when users login
2 msg	Spezialveranstalter.
1 msg	Celtic
1 msg	This one is rocking
1 msg	to
6 msg	harden-doc: chapter 4.8 Restricting system rebo...
1 msg	Re: [SECURITY] [DSA 1160-2] New Mozilla package...
1 msg	Bankitalia: Bce, possibile semplificare su asse...
1 msg	orientada
2 msg	Re: [SECURITY] [DSA 1172-1] New bind9 packages ...
1 msg	Re: Franco Parisi/Cassa_Risparmio_Bolzano_Spa/I...
1 msg	Fwd: Do you want a prosperous future? GET YOUR ...
2 msg	Re: Too busy to go back to school,{} but need a...

Subject:	Preventing Symlink Attacks...
Group:	Debian-security
From:	Conall O'Brien
Date:	18 Sep 2006

Hello,

As suggested by Joey Shulze, I'd like input from people here on how to
deal with potential symlink attacks for my queuegraph package now in
sid.

Queuegraph is a simple script. It has a shell script which works out
Postfix queue statistics, then saves them in an rrd DB (in
/var/lib/queuegraph/ ). Seperately, a perl CGI script (in
/usr/lib/cgi-bin/ ) processes the rrd DB when called to generate RRD
graphs. I've made modifications to the tmp path in the CGI script to
store the generated .png graphs in /var/tmp/queuegraph/

What is the best way for me to protect from symlink attacks? Or should I
change this path to say /var/cache/queuegraph/ (as done in the bindgraph
package, which has similarities to my package)

Suggestions & thoughts welcome.

--

Conall O'Brien

+353 (0)1 6535148 | sip:31313

http://www.conall.net

Eagles may soar, but weazels don't get sucked into jet engines.