Re: insecure temporary file creation

[Colin Phipps <cph@netcraft.com>]

On Wed, Feb 07, 2001 at 11:39:36AM +1300, Matthew Sherborne wrote:
> Because there were quite a few insecure temp file creation reports a while
> ago, perhaps some of us should use this tool to find more ASAP.

Agreed, it would only take a few people using good tools to detect these 
and these problems could be almost wiped out.

> [012] - Eliott 1.0 (Stable)
>   by j (http://freshmeat.net/users/frankdenis/)
> Monday, February 5th 2001 16:51
> 
> Eliott is a tool to help system administrators and programmers discover
> insecure temporary file creation, even in closed-source applications. It
> watches a directory for file creation/deletion/writes using the dnotify
> facility of Linux 2.4.x . Every change is logged, even temporary files with
> a very short lifetime. In addition to logging, Eliott can simulate
> hard-link exploits in order to find and report vulnerable applications.

This appears to just log temporary files, which is a start but not terribly 
useful unless you've got a lot of time to sift through looking for the bad
ones.

Personally, I prefer to use a direct kernel patch, which can look at every
open(2) call and check the flags passed and the directory modes, so it 
can report only the real vulnerabilities without any false positives.

For those who are interested, this is the kernel patch I used to root out 
a couple of dozen /tmp races prior to the potato release: 
http://www.cph.demon.co.uk/linux-2.2-cph4.diff.txt . It logs any unsafe
file creation (defined as an open(2) with O_CREAT but not O_EXCL in a world 
writable directory).

It's a crude hack but works well. I have a version for 2.4.x which I didn't
get around to uploading yet. There may be a better patch around, it's awhile
since I looked; I'd be interested to know if anyone finds a better way of 
detection.

Colin