[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [security question] creating tempfiles]



I forwarded this to security-audit where the experts got to take a 
look at it..

In general please do use tempfile if possible, since it is a known
safe method.

Wichert.

----- Forwarded message from Alan Cox <alan@lxorguk.ukuu.org.uk> -----

From: alan@lxorguk.ukuu.org.uk (Alan Cox)
Subject: Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]
To: wichert@cs.leidenuniv.nl (Wichert Akkerman)
Date: Thu, 1 Apr 1999 13:24:58 +0100 (BST)
Cc: security-audit@ferret.lmh.ox.ac.uk

> >       # Create the temporary directory with strict rights
> >       (umask 077 && mkdir $tmpdir) || exit 1

mkdir will follow dangling symlinks on some platforms

> tmpdir=3D${TMPDIR-/tmp}/foo.$$
> mkdir $tmpdir || exit 1
> trap "rm -rf $tmpdir; exit" 0 1 2 3 15

There is a tool called mktemp specifically designed for this. its an openbsd
tool - very useful for script writers


----- End forwarded message -----
----- Forwarded message from Peter Benie <pjb1008@cam.ac.uk> -----

From: pjb1008@cam.ac.uk (Peter Benie)
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]
Date: Thu, 1 Apr 1999 17:43:52 +0100

Alan Cox writes ("Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]"):
> > >       # Create the temporary directory with strict rights
> > >       (umask 077 && mkdir $tmpdir) || exit 1
> 
> mkdir will follow dangling symlinks on some platforms
> 
> > tmpdir=3D${TMPDIR-/tmp}/foo.$$
> > mkdir $tmpdir || exit 1
> > trap "rm -rf $tmpdir; exit" 0 1 2 3 15
> 
> There is a tool called mktemp specifically designed for this. its an openbsd
> tool - very useful for script writers

On some platforms, the program called 'mktemp' is a security disaster
area - it chooses a predictable name and makes the file unsafely.
On RedHat Linux it's fine though.

Peter


----- End forwarded message -----
----- Forwarded message from Emmanuel Galanos <egalanos@cse.unsw.EDU.AU> -----

From: Emmanuel Galanos <egalanos@cse.unsw.EDU.AU>
To: Peter Benie <pjb1008@cam.ac.uk>
Date: Fri, 2 Apr 1999 14:23:32 +1000 (EST)
cc: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]

On Thu, 1 Apr 1999, Peter Benie wrote:

> Alan Cox writes ("Re: [roland@spinnaker.rhein.de: Re: [security question] creating tempfiles]"):
> > > >       # Create the temporary directory with strict rights
> > > >       (umask 077 && mkdir $tmpdir) || exit 1
> > 
> > mkdir will follow dangling symlinks on some platforms
> > 
> > > tmpdir=3D${TMPDIR-/tmp}/foo.$$
> > > mkdir $tmpdir || exit 1
> > > trap "rm -rf $tmpdir; exit" 0 1 2 3 15
> > 
> > There is a tool called mktemp specifically designed for this. its an openbsd
> > tool - very useful for script writers
> 
> On some platforms, the program called 'mktemp' is a security disaster
> area - it chooses a predictable name and makes the file unsafely.
> On RedHat Linux it's fine though.

	Unfortunately it only creates files (the version on RH).

eman


----- End forwarded message -----
----- Forwarded message from "Troy A. Bollinger" <troy@austin.ibm.com> -----

Date: Thu, 1 Apr 1999 10:09:45 -0600
From: "Troy A. Bollinger" <troy@austin.ibm.com>
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: creating tempfiles

Quoting Wichert Akkerman (wichert@cs.leidenuniv.nl):
> 
> umask 077
> tmpdir=${TMPDIR-/tmp}/foo.$$
> mkdir $tmpdir || exit 1
> trap "rm -rf $tmpdir; exit" 0 1 2 3 15
> 
> "foo" is specific for the script creating the tmpdir. Please don't
> forget to make the base directory for tmpfiles configureable by
> ${TMPDIR-/tmp} which is way tempfile(1) and tempnam(3) use, too.
> The trap is used to remove the tmpdir when the script terminates (if
> you need, you can additionally tunnel the exit value here).
> 

I've found instances where the script changes the working directory to
the $tmpdir directory which causes the "rm" to fail to remove the
directory on exit.  Also, if the attacker creates the $tmpdir directory
first, it prevents the script from executing.

Here's what I've been using (hopefully there's not too many AIXism's):

--------------------   8<   --------------------
#!/usr/bin/ksh

typeset TMPDIR=${TMPDIR:-/tmp}/${0##*/}.$$

while ! mkdir -m 0700 $TMPDIR 2>/dev/null ; do
   TMPDIR=${TMPDIR%.*}.$(( $$ + $RANDOM ))
done
function cleanup {
   cd /
   /bin/rm -rf $TMPDIR 2>/dev/null
}
trap 'rc=$?; trap "" EXIT; cleanup; exit $rc' INT TERM QUIT HUP
trap 'cleanup; exit' EXIT

tmp=$TMPDIR/tmpfile1
echo "$tmp is not susceptible to symlink races"
echo "$tmp is not susceptible to symlink races" > $tmp

--------------------   8<   --------------------

-- 
Troy Bollinger                            troy@austin.ibm.com
AIX Security Development        security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy


----- End forwarded message -----

-- 
==============================================================================
This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: wakkerma@cs.leidenuniv.nl
WWW: http://www.wi.leidenuniv.nl/~wichert/

Attachment: pgptyeO9xyVYQ.pgp
Description: PGP signature


Reply to: