Re: tmpfile alternative

From: Glynn Clements (glynn.clementsat_private)
Date: Wed Jan 02 2002 - 23:56:04 PST

Next message: Christian Recktenwald: "Re: tmpfile alternative"

Previous message: zoppiat_private: "tmpfile alternative"
In reply to: zoppiat_private: "tmpfile alternative"
Next in thread: Christian Recktenwald: "Re: tmpfile alternative"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

zoppiat_private wrote:

> Hi, i've implemented this function as part of my bondlog package:

[snip]

> Could be function this considered a valid safe tempfile alternative ?

I take it that RANDOMFILE is meant to be set to /dev/urandom or
equivalent (if it were a static file, the function certainly wouldn't
be safe). Using /dev/random isn't an option, as this would allow
anyone to DoS the application by emptying the entropy pool.

The main problem is that, assuming that an attacker can exhaust the
entropy pool used by the RNG, your function only as reliable as
/dev/urandom.

The unpredictability of the filename is only one part of a solution. 
You should still use lstat/fstat checks to guard against symlink
attacks.

AFAICT, a reasonable approach for resisting symlink attacks is:

1. Select a random filename; using the pid (as well as random data)
helps to prevent "innocent" collisions between multiple instances.

2. Call lstat() on the selected filename.

3. If lstat() succeeds, something (file, symlink or otherwise) already
exists with that name, so go back to step 1.

4. Open the file, using open(..., O_CREAT|O_EXCL). If you need a
"FILE*", use fdopen() on the resulting descriptor.

5. Call lstat() again on the filename, and call fstat() on the
descriptor.

6. Check that lstat() reports the object as a file, and that the
device/inode pairs reported by lstat() and fstat() match.

7. If any of the checks fail, consider reporting/logging a warning.

You can't absolutely guarantee safety (an attacker might be able to
predict the filename, O_EXCL may not work on an NFS mount, and the
attacker might win the race between lstat/open). But you can make
exploitation extremely unlikely (and likely to generate a lot of
warnings first).

A simpler alternative is to create a temporary directory with mode
0600, and create the tempfile there. mkdir() should be immune to the
standard symlink attack (where the complete pathname exists as a
symlink). You probably don't need to worry about /, /var or /var/spool
being malicious symlinks (if you do, you have bigger problems to worry
about).

In general, it's preferable to just avoid world-writable directories,
e.g. by giving each uid its own directory.

-- 
Glynn Clements <glynn.clementsat_private>

Next message: Christian Recktenwald: "Re: tmpfile alternative"
Previous message: zoppiat_private: "tmpfile alternative"
In reply to: zoppiat_private: "tmpfile alternative"
Next in thread: Christian Recktenwald: "Re: tmpfile alternative"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 09:55:24 PST