[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: severity for bugs in ignoring TMP/TMPDIR?

Russ Allbery writes ("Re: severity for bugs in ignoring TMP/TMPDIR?"):
> You could probably use strace to find problems by looking for an
> open(O_CREAT) of a file in /tmp that doesn't look like it's
> mkstemp-created (ending in six random characters) and doesn't use O_EXCL.
> You'll get some false positives from files in safely-created directories.

I once proposed a kernel patch which would detect all of these unsafe
tmpfile problems (except if the attack was actually being carried out)
and turn them into hard failures.

The rule would be that if:
  * A file is being opened in a sticky directory
  * The file is going to be created by this operation
  * O_EXCL was not specified
then the syscall fails with EPERM.

This didn't meet with general approval but I still think it would be a
good idea, at least to try.  And it might even be less effort than
messing with strace, because strace has some pretty serious signal
handling bugs which mean that programs with complicated process farms
often don't work properly under strace.


Reply to: