Re: CVE-2008-5378: possible symlink attacks
Andreas Tille wrote:
> On Mon, 29 Dec 2008, Thomas Viehmann wrote:
>
>> Never use mktemp().
>
> Args - I've read this and intended to use in both cases mkstemp - but then
> just forgot this. I think just for reading files mktemp is fine. The
> rationale is that I do not really want to rewrite the reading routine
> which opens the file to read. The mkstemp function also opens the file
> and returns a handle - which is just very different from the current code.
> I commited a hopefully better patch (where mkstemp is used for writing
> a file).
Hm. What is reading here?
Also, mkstemp(3):
The last six characters of template must be "XXXXXX" and these
are replaced with a string that makes the filename
unique. Since it will be modified, template must not be a
string constant, but should be declared as a character array.
so you have the name readily available.
>> The killing part is also still somewhat wrong, IMO you want something
>> along the lines of
>> x=$(stat -c '%u %f' x) ; [ "${x%???}" == "$UID 8" ] || echo fail
>> to test whether it's a regular file that you own (though there is bound
>> to be a prettier way to verify that, even if [ -f ... ] is not part of
>> it).
> Do you think that this is definitely needed to avoid any security
> problem in this specific case?
Don't know, causing people to accidentally kill their processes seems
nasty to me, but it might not be that critical.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Reply to: