Larry W. Cashdollar 9/21/2001 /tmp kernel patches linux kernel v2.4. This page is a work in progress. I have been thinking about better ways to audit /tmp race conditions and looking for software that creates files insecurely in /tmp. This is my first kernel modification so I am sure there is a better place to add this code. I am now looking at reading the linux kernel documentation. I have a modification to the filesystem such that it does not allow symlinking in /tmp. Here is a patch for both. There is some strangeness with inode->i_mode, I am assuming it is my lack of experience with kernel code but I have been running my desktop with this patch for weeks with no problem. Log entries look like the following: Mar 25 20:42:46 rizzo kernel: TMPLOG Created file :/tmp/.tX0-lock 9 -396997619 100644 0 501 Mar 25 20:42:47 rizzo kernel: TMPLOG Created file :/tmp/server-0.xkm 12 -774052606 100664 501 501 Mar 25 20:42:49 rizzo kernel: TMPLOG Created file :/tmp/KDE.startkde.cLmfXS 19 995442290 100600 501 501 $ patch -p0 < patch.tmp *** namei.c Mon Mar 25 22:23:10 2002 --- namei.c.mod Mon Mar 25 22:23:01 2002 *************** *** 445,450 **** --- 448,454 ---- * If the create succeeds, we fill in the inode information * with d_instantiate(). */ + // TMP static int ext3_create (struct inode * dir, struct dentry * dentry, int mode) { handle_t *handle; *************** *** 457,464 **** if (IS_SYNC(dir)) handle->h_sync = 1; - inode = ext3_new_inode (handle, dir, mode); err = PTR_ERR(inode); if (!IS_ERR(inode)) { inode->i_op = &ext3_file_inode_operations; --- 461,469 ---- if (IS_SYNC(dir)) handle->h_sync = 1; inode = ext3_new_inode (handle, dir, mode); + printk(KERN_INFO "TMPLOG Created file :/%s/%s %d %d %o %d %d\n",dentry->d_parent->d_name.name,dentry->d_name,inode->i_mode,inode->i_uid,inode->i_gid,mode,inode->i_size); + err = PTR_ERR(inode); if (!IS_ERR(inode)) { inode->i_op = &ext3_file_inode_operations; *************** *** 903,909 **** l = strlen(symname)+1; if (l > dir->i_sb->s_blocksize) return -ENAMETOOLONG; ! handle = ext3_journal_start(dir, EXT3_DATA_TRANS_BLOCKS + 5); if (IS_ERR(handle)) return PTR_ERR(handle); --- 908,917 ---- l = strlen(symname)+1; if (l > dir->i_sb->s_blocksize) return -ENAMETOOLONG; ! if (strcmp(dentry->d_parent->d_name.name,"tmp")==0) { ! printk(KERN_INFO "LNKLOG Link Attempt creation in /tmp/%s %s.\n",dentry->d_name.name,symname); ! return -EPERM; ! } handle = ext3_journal_start(dir, EXT3_DATA_TRANS_BLOCKS + 5); if (IS_ERR(handle)) return PTR_ERR(handle);