Re: {bb} security improvement

[Robert-Andre Croteau <sirac@videotron.ca>]

Adam Goryachev wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> in bb-histlog.sh I have made the following changes. although I am running a
> rather hacked up copy of BB so this may not work for you but something
> similar should perhaps be put into the next BB release....
> 
> line 101:
> change TMPFILE=/tmp/$FILENM
> to TMPFILE=$BBHOME/tmp/$FILENM
> 
> line 110:
> change cd /tmp
> to cd $BBHOME/tmp
> 
> and that was it.... better to use a private tmp dir that one that some
> other user might abuse in some way or another....

bb-histlog.sh, bb-hist.sh & all run as the user specified by web server
configuration.  This user needs write access to directories.  So
either writing to $BBHOME/tmp (which would need require write
permissions
for world) or /tmp is required.


-- 
Robert-Andre Croteau	BSD,MOTU		robert@unix.sh
Services Conseils Informatiques MOTU Inc. 	robert@motu.ca
(514) 465-3057					rcroteau@videotron.ca
http://www.motu.ca/                             http://www.bb4.com
	Si le bonheur ne s'achete pas alors louez le.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.