Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion

To: Dale Scheetz <dwarf@polaris.net>
Cc: Joel Klecker <jk@espy.org>, 19797@bugs.debian.org, Richard Braakman <dark@xs4all.nl>, debian-policy@lists.debian.org
Subject: Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
From: Ian Jackson <ian@chiark.greenend.org.uk>
Date: Mon, 15 Jun 1998 13:59:55 +0100
Message-id: <[🔎] E0ylYrb-0003Hi-00@chiark.greenend.org.uk>
In-reply-to: <[🔎] Pine.LNX.3.96.980613164707.23954E-100000@dwarf.polaris.net>
References: <v04011714b1a84dedd23e@[206.163.71.146]> <[🔎] Pine.LNX.3.96.980613164707.23954E-100000@dwarf.polaris.net>

Dale Scheetz writes ("Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion"):
...
> Consider this a formal request for clarification of the policy with
> respect to "insecure use of tmp". It seems to me this is only a security
> issue when it is a security issue ;-) and in this instance I don't see the
> code in question as a system security issue.
...
> 	2. The execution of the "offensive" code need not be done as root.
> 
> 	3. This code has no effect on the installation or configuration of
> 	   this package, so violation of security during installation has
> 	   no contribution from this code.
> 
> 	4. If this is a "correct" reading of the policy issue, and you
> 	   think the policy is not clear, please ask that the policy make
> 	   it clear by requiring this "correct tmp behavior" only during
> 	   installation, or when the code will be run as root, and not
> 	   during build processes that are not expected to be run as root.

Insecure use of /tmp is a security problem for anyone who runs a
program which does it.  This is obviously most serious if the program
is run by dpkg during installation, or if it is regularly run as root
or needs to be run as root to work.

However, it's also a problem even if you don't have to run it as root.
Any other user on the system can trojan the account of a person who
runs the faulty program.

If you weren't suggesting that it was only relevant if the program was
run by root, then please clarify your question - thanks.

I presume that the relevant part of the manual is this (3.3.4 in
2.4.1.0):

    Any scripts which create files in world-writable directories
    (e.g., in /tmp) have to use a mechanism which will fail if a file
    with the same name already exists.

This is less than ideal.  It should state the reason, and the
specification is too loose.  How about:

    Any program which creates files in a world-writable directory
    (e.g., in /tmp) must use a mechanism which will fail if a file (or
    symlink) with the same name already exists; usually this means
    calling open(..,O_EXCL|O_CREAT,..) in C programs, or using the
    `tempfile' helper program in scripts.  Allowing overwriting
    existing files is a security hole - such a program can be tricked
    by other users on the system into overwriting files belonging to
    the person who runs it.

Ian.


--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
  - From: Dale Scheetz <dwarf@polaris.net>

References:
- Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
  - From: Dale Scheetz <dwarf@polaris.net>

Prev by Date: Re: Bug#23512: timezones: tzconfig is undocumented
Next by Date: Re: Bug#23512: timezones: tzconfig is undocumented
Previous by thread: Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
Next by thread: Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
Index(es):
- Date
- Thread