Temp file attack auditing
On Thu, Nov 23, 2000 at 05:50:06PM -0500, Daniel Burrows wrote:
> On Thu, Nov 23, 2000 at 06:35:54PM -0400, Peter Cordes <firstname.lastname@example.org> was heard to say:
> > > ghostscript uses temporary files to do some of its work. Unfortunately
> > > the method used to create those files wasn't secure: mktemp was used
> > > to create a name for a temporary file, but the file was not opened
> > > safely.
> > There seems to be a lot of this going on. Is it possible to modify glibc
> > so that it flags dangerous actions with stuff in /tmp?
> When I link aptitude, I get a warning about "mktemp is insecure and
> should not be used". (ObImNotACompleteIdiot: aptitude creates temporary files
> in a 600 subdirectory of the user's $HOME, which as far as I know should be
> fairly secure -- please tell me if I'm wrong!)
> So I think something like this is already done somewhere.
Yeah, that's at link time. gcc (or ld I guess) warns about gets(), too. I
was thinking a runtime check would be useful, since then you could actually
check whether the argument was a private directory or a publicly-writeable
one like /tmp, and be fairly sure you weren't seing false alarms.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(email@example.com. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE