Bug#286379: lintian: Insecure temporary directory usage

[Jeroen van Wolffelaar <jeroen@wolffelaar.nl>]

On Tue, Dec 21, 2004 at 01:18:27AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> _However_ if it does not exist the lab is created, if the user has a 
> "insecure" umask (002) you will end up being prey to symlink attacks due 
> to a race condition check this (when setting up the lab):

If you have a umask of 002 you can expect people of the same group to
do nasty things with you... Isn't that the whole point of umask? If I
set umask of 0, I'll be vulnerable too, to a whole lot of issues.
 
> So what you have here is a race condition because of temporary 
> files. Granted, this only happens when you have a lax umask, but it could 
> be prevented either by using a proper function to create temporary 
> directories (tempdir() will set them up mode 700) or by restricting the 
> umask to 0700 when creating the temporary directories in Lab::setup().

No need to extra-restrict IMHO, I don't think one should restrict
permissions above what's needed according to the user. On systems where
I have a 02 umask, I *intent* for users of the same group to be able
to write to all the stuf I do. If that's not intended, well, don't have
a 02 umask.
 
> I did not properly assess the issue in the initial report, but I still
> believe that Lintian has a security bug which introduces a hole under
> some conditions and that could be easily fixed.

I, and with me one other lintian maintainer I consulted, still don't
think this is a security bug (the different issue w.r.t. removing files
however still stands).
 
> PS: Yes, version was 1.23.3, blame it on opening up multiple bug reports at 
> 1 am

Thought something like that :), n/p.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl