[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2008-5378: possible symlink attacks

Thomas Viehmann wrote:
> Andreas Tille wrote:
>>   2. Make the temp file save against symlink attacks.  The question
>>      I have for this case which should probably be prefered is: How
>>      can I savely teach an independent script about the PIDs of a
>>      crashed program that should be stopped.  I think random file names
>>      will not really work here or do I miss something?
> How about using mkstemp with a prefix containing the pid (i.e. template
> foo_$PID_XXXXXX) and have other programs discard the random part. The
> main thing here is that he file must be created in a way that ensures
> the file to be created does not exist, not that it must not contain a
> pattern.

Oh, and if you really care, be sure that it's a regular file (not a
symlink pointing to something) owned by yourself before using it as a
hint to kill your processes.

Kind regards

Thomas Viehmann, http://thomas.viehmann.net/

Reply to: