I forwarded this to security-audit where the experts got to take a look at it.. In general please do use tempfile if possible, since it is a known safe method. Wichert. ----- Forwarded message from Alan Cox <alan@lxorguk.ukuu.org.uk> ----- From: alan@lxorguk.ukuu.org.uk (Alan Cox) Subject: Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles] To: wichert@cs.leidenuniv.nl (Wichert Akkerman) Date: Thu, 1 Apr 1999 13:24:58 +0100 (BST) Cc: security-audit@ferret.lmh.ox.ac.uk > > # Create the temporary directory with strict rights > > (umask 077 && mkdir $tmpdir) || exit 1 mkdir will follow dangling symlinks on some platforms > tmpdir=3D${TMPDIR-/tmp}/foo.$$ > mkdir $tmpdir || exit 1 > trap "rm -rf $tmpdir; exit" 0 1 2 3 15 There is a tool called mktemp specifically designed for this. its an openbsd tool - very useful for script writers ----- End forwarded message ----- ----- Forwarded message from Peter Benie <pjb1008@cam.ac.uk> ----- From: pjb1008@cam.ac.uk (Peter Benie) To: security-audit@ferret.lmh.ox.ac.uk Subject: Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles] Date: Thu, 1 Apr 1999 17:43:52 +0100 Alan Cox writes ("Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]"): > > > # Create the temporary directory with strict rights > > > (umask 077 && mkdir $tmpdir) || exit 1 > > mkdir will follow dangling symlinks on some platforms > > > tmpdir=3D${TMPDIR-/tmp}/foo.$$ > > mkdir $tmpdir || exit 1 > > trap "rm -rf $tmpdir; exit" 0 1 2 3 15 > > There is a tool called mktemp specifically designed for this. its an openbsd > tool - very useful for script writers On some platforms, the program called 'mktemp' is a security disaster area - it chooses a predictable name and makes the file unsafely. On RedHat Linux it's fine though. Peter ----- End forwarded message ----- ----- Forwarded message from Emmanuel Galanos <egalanos@cse.unsw.EDU.AU> ----- From: Emmanuel Galanos <egalanos@cse.unsw.EDU.AU> To: Peter Benie <pjb1008@cam.ac.uk> Date: Fri, 2 Apr 1999 14:23:32 +1000 (EST) cc: security-audit@ferret.lmh.ox.ac.uk Subject: Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles] On Thu, 1 Apr 1999, Peter Benie wrote: > Alan Cox writes ("Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]"): > > > > # Create the temporary directory with strict rights > > > > (umask 077 && mkdir $tmpdir) || exit 1 > > > > mkdir will follow dangling symlinks on some platforms > > > > > tmpdir=3D${TMPDIR-/tmp}/foo.$$ > > > mkdir $tmpdir || exit 1 > > > trap "rm -rf $tmpdir; exit" 0 1 2 3 15 > > > > There is a tool called mktemp specifically designed for this. its an openbsd > > tool - very useful for script writers > > On some platforms, the program called 'mktemp' is a security disaster > area - it chooses a predictable name and makes the file unsafely. > On RedHat Linux it's fine though. Unfortunately it only creates files (the version on RH). eman ----- End forwarded message ----- ----- Forwarded message from "Troy A. Bollinger" <troy@austin.ibm.com> ----- Date: Thu, 1 Apr 1999 10:09:45 -0600 From: "Troy A. Bollinger" <troy@austin.ibm.com> To: security-audit@ferret.lmh.ox.ac.uk Subject: Re: creating tempfiles Quoting Wichert Akkerman (wichert@cs.leidenuniv.nl): > > umask 077 > tmpdir=${TMPDIR-/tmp}/foo.$$ > mkdir $tmpdir || exit 1 > trap "rm -rf $tmpdir; exit" 0 1 2 3 15 > > "foo" is specific for the script creating the tmpdir. Please don't > forget to make the base directory for tmpfiles configureable by > ${TMPDIR-/tmp} which is way tempfile(1) and tempnam(3) use, too. > The trap is used to remove the tmpdir when the script terminates (if > you need, you can additionally tunnel the exit value here). > I've found instances where the script changes the working directory to the $tmpdir directory which causes the "rm" to fail to remove the directory on exit. Also, if the attacker creates the $tmpdir directory first, it prevents the script from executing. Here's what I've been using (hopefully there's not too many AIXism's): -------------------- 8< -------------------- #!/usr/bin/ksh typeset TMPDIR=${TMPDIR:-/tmp}/${0##*/}.$$ while ! mkdir -m 0700 $TMPDIR 2>/dev/null ; do TMPDIR=${TMPDIR%.*}.$(( $$ + $RANDOM )) done function cleanup { cd / /bin/rm -rf $TMPDIR 2>/dev/null } trap 'rc=$?; trap "" EXIT; cleanup; exit $rc' INT TERM QUIT HUP trap 'cleanup; exit' EXIT tmp=$TMPDIR/tmpfile1 echo "$tmp is not susceptible to symlink races" echo "$tmp is not susceptible to symlink races" > $tmp -------------------- 8< -------------------- -- Troy Bollinger troy@austin.ibm.com AIX Security Development security-alert@austin.ibm.com PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy ----- End forwarded message ----- -- ============================================================================== This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: wakkerma@cs.leidenuniv.nl WWW: http://www.wi.leidenuniv.nl/~wichert/
Attachment:
pgpgCvUjLABkv.pgp
Description: PGP signature