Re: severity for bugs in ignoring TMP/TMPDIR?
Paul Wise <firstname.lastname@example.org> writes:
> On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote:
>> If you (or the maintainer) review the code or analyse the program's
>> behaviour and it is using *fixed* (i.e. not random) filenames for the
>> temporary files or for the directories they are created in (/tmp or
>> /var/tmp), you might want to suggest the maintainer to review if the
>> code in charge of creating temporary files is doing this properly.
> Should I find hard-coded uses of /tmp/, do you have any suggestions or
> tips about how to assess the security impact of these issues. Up to now
> I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo
> and checked if ~pabs/foo was overwritten. I wonder if there are any
> tools to automatically assess the impact of these issues by using
> LD_PRELOAD and or fs/user namespaces, are you aware of any of these?
You could probably use strace to find problems by looking for an
open(O_CREAT) of a file in /tmp that doesn't look like it's
mkstemp-created (ending in six random characters) and doesn't use O_EXCL.
You'll get some false positives from files in safely-created directories.
> Based on a quick grep of /usr/bin/* I expect you are correct.
My grep doesn't look *too* awful on the fixed file name front.
What grep did you try? Looking for /tmp in a binary that doesn't also
> I wonder if a pedantic/experimental lintian warning about hardcoding
> use of /tmp/ would be doable or helpful, any thoughts?
Lintian already tries to do some stuff for shell scripts. The general
problem is rather hard to detect.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>