Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10

[woods () ncar UCAR EDU (Greg Woods)]

> I'd have thought that having /tmp mode 1777, using tempnam()
> to get the file name, and creating this file in mode 0600 would be
> sufficient.

It's not. Since /tmp is world-readable, anyone can determine what the
actual file name is, so generating random names does not help.  Since
/tmp is world-writeable, if the sticky bit is not set, then anyone can
remove the file (and replace it with one of their own) no matter what
the permissions on the file were. If the program is coded so that it
closes and re-opens the file later, which of course it does in this
case since it contains cache data that is saved between invocations of
the program, you can feed the program bogus data this way. The program
can be coded to check when it re-opens the file to make sure it's still
the same owner and permissions that it was before, but that kind of fix
has to be made in every single program that uses temp cache files. The
only generic fix is to set the sticky bit in the tmp directory, which
prevents anyone from removing (and replacing) files they don't own.

--Greg