[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: per-user temp directories by default?

On Thu, Nov 03, 2005 at 11:16:43PM -0500, Noah Meyerhans wrote:
> There are a number of outstanding "insecure tempfile vulnerabilities",
> and there has been some talk that they're both too numerous and of low
> enough impact that they're not even worth releasing DSAs for.  Never the

Where was that talk done? I've been the one auditing that and there have been
DSAs for most of the bugs I've reported to the audit team. Granted, they are
not being issued inmediately (I usually provide the report and a patch), but
they are on the queue as far as I know.

> less, they are potentially dangerous and should be dealt with on some
> level.  We believe that using libpam_tmpdir by default should make
> nearly all of these vulnerabilities cease to be relevant (there are some
> braindead apps that have /tmp hardcoded and don't use $TMP or $TMPDIR).

The problem is, there's lots of those. And when I mean lots I mean that I
have a list of ~4780 binary packages of which at least ~2300 make use of
insecure tempfiles for sure and the others need to be reviewed (as the script
I use produces false positives and false negatives). And that doesn't include
the source packages that use /tmp insecurely (i.e. when building a package).
I have focused fixing the issue in the most popular packages (stuff like
mozilla, mysql, lm-sensors, lintian, lilo, cfengine, to name a few) and
I'm producing patches for the rest as time permits.

There's even scripts that use 'mktemp' but don't use the -t option so they
are rooted in /tmp nevertheless (notice that 'tempfile' does this by
default). And there are even some packages which do _not_  have insecure
tempfile vulnerabilities but hardcode the directory or file location to /tmp
in any case.

IMHO, it's a worthwhile goal for etch but it should be done at the same time
that there is a policy change mandating the use of mktemp/tempfile for shell
scripts, File::Temp in perl scripts, tempnam in Php, tmpfile in C and safe
constructs in those languages that lack a proper implementation (see #291389,
for example).



Attachment: signature.asc
Description: Digital signature

Reply to: