Rogier Wolff wrote:
> > > > This was not intentional by the author, he tried to use tempfile(1) to
> > > > create the temporary filename. However, due to a thinko, the name was
> > > > hardcoded into the script.
> > > [...]
> > > > +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
> > >
> > > So now you're using tempfile? This usually yields an easily
> >
> > No, but now we're using tempfile in a proper way. In the original source
> > code it was used like:
> >
> > NNTPactive=`tempfile -p active`
>
> This is what I meant. You've made it just a teeny bit harder to exploit,
> but the same expoit is still there.
>
> 10 years ago, this solution would've been adequate. Nowadays everbody
> should know that this is very hard to get right. Mover the "bad guys"
> already have the exploit programs ready.
>
> Creating a tempfile from a C program is possible since we have a
> mkstmp call. It is sufficiently tricky that I wouldn't dare
I'm sorry, but I don't understand. tempfile is a C program that creates
a tempfile.
DESCRIPTION
tempfile creates a temporary file in a safe manner. It
uses tempnam(3) to choose the name and opens it with
O_RDWR | O_CREAT | O_EXCL. The filename is printed on
standard output.
> replicating the functionality myself. Creating a private directory in
> /tmp and putting the tempfiles in there might be the only solution for
> shell scripts.
In which case you only make things more difficult to exploit, since such
a directory would be guessable as well as a tempfilename would, same for
the file inside of it.
Regards,
Joey
--
Whenever you meet yourself you're in a time loop or in front of a mirror.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:50 PDT