Re: another /tmp race: `perl -e' opens temp file not safely

[shalunov () MCCME RU (stanislav shalunov)]

> > > > > "deraadt" == Theo de Raadt <deraadt () cvs openbsd org> writes:

 deraadt> Moreover, Stanislav's patch retained the use of of mktemp(),
 deraadt> which means his fixed perl can still be denial-of-serviced

This is true.  You can still DOS Perl after my quick patch (if you win
the race).  I am afraid that the same might apply to your patch as
well, at least on some systems and to some degree.  But surely
mkstemp() is a better thing to do.

 deraadt> The correct fix is to use mkstemp(), which is designed to be
 deraadt> (much more) impervious to these kinds of races.

It is.  However, on many systems it only tries a finite number of
times; if you guess the name every time it open()s you've denied
service to the calling program.  It is much harder to do (you need to
win a lot of races) but theoretically it's possible.  So the program
still isn't correct in the strict sense.  (This does not apply to
OpenBSD: its _gettemp() will try forever which is the right thing to
do because attacker cannot win an infinite number of races--or to put
it more accurately, has probability zero of winning $\aleph_0$ races.)

All this complexity of trivial things (just open a temp file) is one
of the reasons I think the whole idea of /tmp is a fundamental
misdesign and eventually one should be able to chmod it to 755 (while
programs should use per-user TMPDIRs).