Re: severity for bugs in ignoring TMP/TMPDIR?

To: Russ Allbery <rra@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: severity for bugs in ignoring TMP/TMPDIR?
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Mon, 13 Feb 2012 12:40:27 +0000
Message-id: <[🔎] 20281.1211.909188.106171@chiark.greenend.org.uk>
In-reply-to: <[🔎] 877gzursh6.fsf@windlord.stanford.edu>
References: <[🔎] 1328410290.7032.165.camel@chianamo> <[🔎] CAKTje6GKBf2zJjvzfVHwszPzMdf6ns4MdQ1k2LxTvoO6LYKQtw@mail.gmail.com> <[🔎] CAB9B7Usje98Ym875bpa9kfBBuf67WpdHJ48-WszirvO-ssj6BQ@mail.gmail.com> <[🔎] CAKTje6FPdwiHApZH7TOkMSC59Me=ExgZgHrYXQNT8VTcka==BA@mail.gmail.com> <[🔎] 877gzursh6.fsf@windlord.stanford.edu>

Russ Allbery writes ("Re: severity for bugs in ignoring TMP/TMPDIR?"):
> You could probably use strace to find problems by looking for an
> open(O_CREAT) of a file in /tmp that doesn't look like it's
> mkstemp-created (ending in six random characters) and doesn't use O_EXCL.
> You'll get some false positives from files in safely-created directories.

I once proposed a kernel patch which would detect all of these unsafe
tmpfile problems (except if the attack was actually being carried out)
and turn them into hard failures.

The rule would be that if:
  * A file is being opened in a sticky directory
  * The file is going to be created by this operation
  * O_EXCL was not specified
then the syscall fails with EPERM.

This didn't meet with general approval but I still think it would be a
good idea, at least to try.  And it might even be less effort than
messing with strace, because strace has some pretty serious signal
handling bugs which mean that programs with complicated process farms
often don't work properly under strace.

Ian.

Reply to:

Follow-Ups:
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: md@Linux.IT (Marco d'Itri)
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- severity for bugs in ignoring TMP/TMPDIR?
  - From: Paul Wise <pabs@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Paul Wise <pabs@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Javier Fernandez-Sanguino <jfs@computer.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Paul Wise <pabs@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: [DEP9] call for testing of reconf-inetd (update-inetd replacement)
Next by Date: Re: severity for bugs in ignoring TMP/TMPDIR?
Previous by thread: Re: severity for bugs in ignoring TMP/TMPDIR?
Next by thread: Re: severity for bugs in ignoring TMP/TMPDIR?
Index(es):
- Date
- Thread