[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] Re: Diffs for replacing mktemp() usage
From: |
Valdis . Kletnieks |
Subject: |
Re: [Nmh-workers] Re: Diffs for replacing mktemp() usage |
Date: |
Wed, 03 Feb 2010 13:30:20 -0500 |
On Tue, 02 Feb 2010 21:38:20 CST, Earl Hood said:
> If the calling code did not immediately use the temp file,
> the new functions close the descriptor returned from mkstemp(),
> but it does NOT delete the file.
>
> Since the file still exists, an external (different uid) process
> cannot create one in its place, so the race condition vulnerability
> does not exist. The file is just sitting there.
Unfortunately, this is only true if the directory you're creating the file
in isn't writable by other processes - in other words, doing this in /tmp
isn't safe, but doing a 'umask 077; mkdir /tmp/$USER' and then
creating /tmp/$USER/$TMPNAME is safe. Sticky bit on the directory helps too,
but we probably should program defensively and get it right even if the
sysadmin failed to do so.
Otherwise, you're still open to a race condition - an attacker can just
rename the file you created, and then stick another file or even a symlink
in place of the old name:
% ls -ld /tmp/foo
drwxrwxrwx. 2 root root 4096 Feb 3 09:30 /tmp/foo
% ls -l /tmp/foo
total 0
-rw-r--r--. 1 root root 0 Feb 3 09:30 bar
% mv /tmp/foo/bar /tmp/foo/baz
% ls -l /tmp/foo
total 0
-rw-r--r--. 1 root root 0 Feb 3 09:30 baz
% touch /tmp/foo/bar
% ls -l /tmp/foo
total 0
-rw-r--r--. 1 valdis valdis 0 Feb 3 09:31 bar
-rw-r--r--. 1 root root 0 Feb 3 09:30 baz
pgp0OfPRrxETL.pgp
Description: PGP signature
[Nmh-workers] Re: Diffs for replacing mktemp() usage, Earl Hood, 2010/02/03
[Nmh-workers] Re: Diffs for replacing mktemp() usage, Earl Hood, 2010/02/03