Re: Insecure use of file in /tmp by trn

From: Rogier Wolff (R.E.Wolffat_private)
Date: Mon Aug 23 1999 - 02:49:52 PDT

Next message: Kerb: "FrontPage Personal Web Server"

Previous message: Martin Schulze: "Re: Insecure use of file in /tmp by trn"
Maybe in reply to: Martin Schulze: "Insecure use of file in /tmp by trn"
Next in thread: Richard Kettlewell: "Re: Insecure use of file in /tmp by trn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Martin Schulze wrote:
> Rogier Wolff wrote:
> > > > > This was not intentional by the author, he tried to use tempfile(1) to
> > > > > create the temporary filename.  However, due to a thinko, the name was
> > > > > hardcoded into the script.
> > > > [...]
> > > > > +#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"
> > > >
> > > > So now you're using tempfile? This usually yields an easily
> > >
> > > No, but now we're using tempfile in a proper way.  In the original source
> > > code it was used like:
> > >
> > > 	NNTPactive=`tempfile -p active`
> >
> > This is what I meant. You've made it just a teeny bit harder to exploit,
> > but the same expoit is still there.
> >
> > 10 years ago, this solution would've been adequate. Nowadays everbody
> > should know that this is very hard to get right. Mover the "bad guys"
> > already have the exploit programs ready.
> >
> > Creating a tempfile from a C program is possible since we have a
> > mkstmp call. It is sufficiently tricky that I wouldn't dare
>
> I'm sorry, but I don't understand.  tempfile is a C program that creates
> a tempfile.
>
> DESCRIPTION
>        tempfile  creates  a  temporary file in a safe manner.  It
>        uses tempnam(3) to choose  the  name  and  opens  it  with
>        O_RDWR  |  O_CREAT  |  O_EXCL.  The filename is printed on
>        standard output.

If the file is already created, it should make exploits a lot less
easy. Maybe even impossible.

> > replicating the functionality myself. Creating a private directory in
> > /tmp and putting the tempfiles in there might be the only solution for
> > shell scripts.
>
> In which case you only make things more difficult to exploit, since such
> a directory would be guessable as well as a tempfilename would, same for
> the file inside of it.

mkdir will not overwrite or follow a link. The directory is owned by
the user. So symlink flipping won't be allowed by the OS.

So mkdir `mktemp /tmp/myprog.XXXXX` should also be safe, provided you
check the return code to make sure you succeeded.

The root of the problem is that other users can write in MY temparea.
We should recognize that there are different uses for the /tmp
directory, and separate them.

Programs, scripts etc should use a private temporary area that is
restricted to MY uid.

And there should be a sharing directory that users can use.

Roger.

--
** R.E.Wolffat_private ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

Next message: Kerb: "FrontPage Personal Web Server"
Previous message: Martin Schulze: "Re: Insecure use of file in /tmp by trn"
Maybe in reply to: Martin Schulze: "Insecure use of file in /tmp by trn"
Next in thread: Richard Kettlewell: "Re: Insecure use of file in /tmp by trn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:02 PDT