Re: severity for bugs in ignoring TMP/TMPDIR?

[Russ Allbery <rra@debian.org>]

Paul Wise <pabs@debian.org> writes:
> On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote:

>> If you (or the maintainer) review the code or analyse the program's
>> behaviour and it is using *fixed* (i.e. not random) filenames for the
>> temporary files or for the directories they are created in (/tmp or
>> /var/tmp), you might want to suggest the maintainer to review if the
>> code in charge of creating temporary files is doing this properly.

> Should I find hard-coded uses of /tmp/, do you have any suggestions or
> tips about how to assess the security impact of these issues. Up to now
> I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo
> and checked if ~pabs/foo was overwritten. I wonder if there are any
> tools to automatically assess the impact of these issues by using
> LD_PRELOAD and or fs/user namespaces, are you aware of any of these?

You could probably use strace to find problems by looking for an
open(O_CREAT) of a file in /tmp that doesn't look like it's
mkstemp-created (ending in six random characters) and doesn't use O_EXCL.
You'll get some false positives from files in safely-created directories.

> Based on a quick grep of /usr/bin/* I expect you are correct.

My grep doesn't look *too* awful on the fixed file name front.

What grep did you try?  Looking for /tmp in a binary that doesn't also
reference TMPDIR?

> I wonder if a pedantic/experimental lintian warning about hardcoding
> use of /tmp/ would be doable or helpful, any thoughts?

Lintian already tries to do some stuff for shell scripts.  The general
problem is rather hard to detect.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>