[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Temp file attack auditing

On Thu, Nov 23, 2000 at 05:50:06PM -0500, Daniel Burrows wrote:
> On Thu, Nov 23, 2000 at 06:35:54PM -0400, Peter Cordes <peter@llama.nslug.ns.ca> was heard to say:
> > > ghostscript uses temporary files to do some of its work. Unfortunately
> > > the method used to create those files wasn't secure: mktemp was used
> > > to create a name for a temporary file, but the file was not opened
> > > safely.
> >  There seems to be a lot of this going on.  Is it possible to modify glibc
> > so that it flags dangerous actions with stuff in /tmp?
>   When I link aptitude, I get a warning about "mktemp is insecure and
> should not be used".  (ObImNotACompleteIdiot: aptitude creates temporary files
> in a 600 subdirectory of the user's $HOME, which as far as I know should be
> fairly secure -- please tell me if I'm wrong!)
>   So I think something like this is already done somewhere.

 Yeah, that's at link time.  gcc (or ld I guess) warns about gets(), too.  I
was thinking a runtime check would be useful, since then you could actually
check whether the argument was a private directory or a publicly-writeable
one like /tmp, and be fairly sure you weren't seing false alarms.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: