Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion

To: Ian Jackson <ian@chiark.greenend.org.uk>
Cc: Joel Klecker <jk@espy.org>, 19797@bugs.debian.org, Richard Braakman <dark@xs4all.nl>, Ulrich Drepper <drepper@cygnus.com>, debian-policy@lists.debian.org
Subject: Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
From: Dale Scheetz <dwarf@polaris.net>
Date: Mon, 15 Jun 1998 10:39:03 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.3.96.980615102655.25759I-100000@dwarf.polaris.net>
In-reply-to: <[🔎] E0ylYrb-0003Hi-00@chiark.greenend.org.uk>

On Mon, 15 Jun 1998, Ian Jackson wrote:

> Insecure use of /tmp is a security problem for anyone who runs a
> program which does it.  This is obviously most serious if the program
> is run by dpkg during installation, or if it is regularly run as root
> or needs to be run as root to work.
> 
> However, it's also a problem even if you don't have to run it as root.
> Any other user on the system can trojan the account of a person who
> runs the faulty program.
> 
> If you weren't suggesting that it was only relevant if the program was
> run by root, then please clarify your question - thanks.
> 
> I presume that the relevant part of the manual is this (3.3.4 in
> 2.4.1.0):
> 
>     Any scripts which create files in world-writable directories
>     (e.g., in /tmp) have to use a mechanism which will fail if a file
>     with the same name already exists.
> 
> This is less than ideal.  It should state the reason, and the
> specification is too loose.  How about:
> 
>     Any program which creates files in a world-writable directory
>     (e.g., in /tmp) must use a mechanism which will fail if a file (or
>     symlink) with the same name already exists; usually this means
>     calling open(..,O_EXCL|O_CREAT,..) in C programs, or using the
>     `tempfile' helper program in scripts.  Allowing overwriting
>     existing files is a security hole - such a program can be tricked
>     by other users on the system into overwriting files belonging to
>     the person who runs it.
> 
Thanks Ian, this is better clarification.

For Ulrich, I want to make some clarification of my own.

The "insecure use of tmp" takes place in the file glibcbug.in, and only
occurs during the configuration of the glibc package preparitory to the
build. It is never distributed in anything but the source.

I will certainly patch the Debian version of the code, but it is not clear
that the upstream maintainer will wish to include this patch. It is my
understanding that the "tempfile" helper program is Debian specific, and
may not be available on all Linux systems. I can certainly make the patch
deal with this situation by falling back on the insecure method when
tempfile is not available, but that is not a general fix, but only a
Debian specific one.

I guess that this means we should work toward gaining some acceptence of
the need for secure tmp files in the broader Linux community, and a
"standard" way of securing this process?

Thanks,

Dwarf
--
_-_-_-_-_-   Author of "The Debian Linux User's Guide"  _-_-_-_-_-_-

aka   Dale Scheetz                   Phone:   1 (850) 656-9769
      Flexible Software              11000 McCrackin Road
      e-mail:  dwarf@polaris.net     Tallahassee, FL  32308

_-_-_-_-_-_- If you don't see what you want, just ask _-_-_-_-_-_-_-

--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
  - From: Joel Klecker <jk@espy.org>

References:
- Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
  - From: Ian Jackson <ian@chiark.greenend.org.uk>

Prev by Date: Re: Bug#23512: timezones: tzconfig is undocumented
Next by Date: Re: Bug#23512: timezones: tzconfig is undocumented
Previous by thread: Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
Next by thread: Re: Bug#19797: libc6-dev: use of /tmp/*$$ in an insecure fashion
Index(es):
- Date
- Thread