From mboxrd@z Thu Jan  1 00:00:00 1970
MIME-Version: 1.0
In-Reply-To: <CAOw7k5h7i8ka6xhLWqGccHRZoqt1ybb5MUAWSYth5_cR0=Q7LA@mail.gmail.com>
References: <20141203234918.GA27533@free.fr>
	<CAOw7k5h7i8ka6xhLWqGccHRZoqt1ybb5MUAWSYth5_cR0=Q7LA@mail.gmail.com>
Date: Fri,  5 Dec 2014 14:08:11 +1100
Message-ID: <CAJQxxwm7ijEdjSUf73yCcUFS-nRwss1=MfK01+XJpAjQ_+2zdQ@mail.gmail.com>
From: Bruce Ellis <bruce.ellis@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Content-Type: multipart/alternative; boundary=001a11c25cd015e52805096f63e3
Subject: Re: [9fans] Debian bug 737206 - rc shell uses insecurely /tmp
Topicbox-Message-UUID: 33b57966-ead9-11e9-9d60-3106f5b1d025

--001a11c25cd015e52805096f63e3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Don't these people have better things to do than finding non-bugs in
systems they don't understand?

brucee

On 5 December 2014 at 13:33, Charles Forsyth <charles.forsyth@gmail.com>
wrote:

>
> On Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery <saulery@free.fr> w=
rote:
>
>> discovered that rc
>>    creates temporary files in an insecure way:
>>
>
> rc was built for a system that made /tmp secure by not sharing it (it's
> always private to a user and even sometimes to a set of processes).
> That way not every app has to try to help sustain the pretence that a
> shared /tmp can really be secured (+s bits, EXCL create, etc..)
> Obviously the version for Unix will have to change its generation scheme
> to fit in.
>

--001a11c25cd015e52805096f63e3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Don&#39;t these people have better things to do than findi=
ng non-bugs in systems they don&#39;t understand?<div><br></div><div>brucee=
</div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On 5 =
December 2014 at 13:33, Charles Forsyth <span dir=3D"ltr">&lt;<a href=3D"ma=
ilto:charles.forsyth@gmail.com" target=3D"_blank">charles.forsyth@gmail.com=
</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin=
:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><=
div class=3D"gmail_extra"><span class=3D""><br><div class=3D"gmail_quote">O=
n Wed, Dec 3, 2014 at 11:49 PM, St=C3=A9phane Aulery <span dir=3D"ltr">&lt;=
<a href=3D"mailto:saulery@free.fr" target=3D"_blank">saulery@free.fr</a>&gt=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div style=3D"overflow:hi=
dden"> discovered that rc<br>
=C2=A0 =C2=A0creates temporary files in an insecure way:</div></blockquote>=
</div><br></span>rc was built for a system that made /tmp secure by not sha=
ring it (it&#39;s always private to a user and even sometimes to a set of p=
rocesses).</div><div class=3D"gmail_extra">That way not every app has to tr=
y to help sustain the pretence that a shared /tmp can really be secured (+s=
 bits, EXCL create, etc..)</div><div class=3D"gmail_extra">Obviously the ve=
rsion for Unix will have to change its generation scheme to fit in.</div></=
div>
</blockquote></div><br></div>

--001a11c25cd015e52805096f63e3--