[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: many packages write to `temporary-file-directory' insecurely
From: |
Al Petrofsky |
Subject: |
Re: many packages write to `temporary-file-directory' insecurely |
Date: |
Mon, 4 Mar 2002 18:26:40 -0800 |
> From: Richard Stallman <address@hidden>
> That code needs comments to explain what it is trying to do and why
> that is right. After some study, I think I see WHAT it does, but I
> can't see why one would want to do that.
The original problem was that when we wrote over /tmp/snake-scores we
couldn't be sure that /tmp/snake-scores hadn't just been changed from
a file to a symbolic link pointing to one of our important files.
My solution is to first write the scores securely into a temp file and
then move it to the desired place. This is safe, because if someone
has made the destination filename a symbolic link, then the rename
system call removes the link, rather than overwriting the linked-to
file.
This requires storing the file in a subdirectory of /tmp that is
world-writable without restriction, as opposed to /tmp itself, which
normally has its sticky bit set, thus forbidding people from deleting
others' files or renaming over them.
The catch is that if someone has made /tmp/emacs-game-scores a
symbolic link to one of our directories, then we could overwrite the
file named snake-scores in that directory. So the improvement is that
only our files named snake-scores are vulnerable, rather than all of
them.
> It seems to make the file read-only; why do that?
The point of (set-file-modes temp #o444) is to ensure the file is
world-readable, in case the user has a paranoid umask. Making the
file non-writable is not necessary.
-al
- Re: many packages write to `temporary-file-directory' insecurely, Pavel Janík, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Pavel Janík, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely,
Al Petrofsky <=
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Andreas Schwab, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/06