zoppiat_private wrote: > Hi, i've implemented this function as part of my bondlog package: [snip] > Could be function this considered a valid safe tempfile alternative ? I take it that RANDOMFILE is meant to be set to /dev/urandom or equivalent (if it were a static file, the function certainly wouldn't be safe). Using /dev/random isn't an option, as this would allow anyone to DoS the application by emptying the entropy pool. The main problem is that, assuming that an attacker can exhaust the entropy pool used by the RNG, your function only as reliable as /dev/urandom. The unpredictability of the filename is only one part of a solution. You should still use lstat/fstat checks to guard against symlink attacks. AFAICT, a reasonable approach for resisting symlink attacks is: 1. Select a random filename; using the pid (as well as random data) helps to prevent "innocent" collisions between multiple instances. 2. Call lstat() on the selected filename. 3. If lstat() succeeds, something (file, symlink or otherwise) already exists with that name, so go back to step 1. 4. Open the file, using open(..., O_CREAT|O_EXCL). If you need a "FILE*", use fdopen() on the resulting descriptor. 5. Call lstat() again on the filename, and call fstat() on the descriptor. 6. Check that lstat() reports the object as a file, and that the device/inode pairs reported by lstat() and fstat() match. 7. If any of the checks fail, consider reporting/logging a warning. You can't absolutely guarantee safety (an attacker might be able to predict the filename, O_EXCL may not work on an NFS mount, and the attacker might win the race between lstat/open). But you can make exploitation extremely unlikely (and likely to generate a lot of warnings first). A simpler alternative is to create a temporary directory with mode 0600, and create the tempfile there. mkdir() should be immune to the standard symlink attack (where the complete pathname exists as a symlink). You probably don't need to worry about /, /var or /var/spool being malicious symlinks (if you do, you have bigger problems to worry about). In general, it's preferable to just avoid world-writable directories, e.g. by giving each uid its own directory. -- Glynn Clements <glynn.clementsat_private>
This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 09:55:24 PST