[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)

On Sun, Jan 05, 2003 at 11:55:57AM +0000, Julian Gilbey wrote:

> On Sat, Jan 04, 2003 at 09:34:39PM -0500, Matt Zimmerman wrote:
> > > The point, though, is: once the file has been created, a symlink
> > > attack can be used if the directory is world-writeable (with no sticky
> > > bit set).  Does tempfile only create files in "safe" directories?
> > 
> > man tempfile:
> > 
> >        The directory to place the file is searched for in the following order:
> > 
> >        a)     The directory specified by the environment variable  TMPDIR,  if
> >               it is writable.
> > 
> >        b)     The directory specified by the --directory argument, if given.
> > 
> >        c)     The directory /tmp.
> 
> No, that's not good enough as this bug report points out: if TMPDIR is
> specified and is world-writable without a sticky bit, or if /tmp is
> similarly, then this opens us up for a race condition.

TMPDIR is the user's responsibility; if it is set to an insecure location,
they are only exploiting themselves.  --directory is the caller's
responsibility; if it is set to an insecure location, it is exposing the
user and must be fixed.  The default of /tmp is sane.

A user could make their home directory world-writable; this doesn't mean
that every program should try to protect itself against attacks when reading
and writing their configuration files.

> I don't have a good suggestion for how to fix tempfile properly, other
> than for it to test the directory and to fail if these conditions are
> not properly met.

tempfile is fine, and trying to check this properly is a lot of trouble for
minimal gain.  Consider that it must check permissions _and ownership_ for
every parent directory leading up to the root in order to be sure, and even
then there is no realistic test.  World writability?  Sticky bit?  Group
writability?  What if the group only contains administrators, and they
require write access to (e.g.) the directory which contains home
directories?

> I'm going to send this on to security.

Send it as you like, but tempfile is not buggy here.

-- 
 - mdz
Reply to: