Bugtraq mailing list archives
Re: another /tmp race: `perl -e' opens temp file not safely
From: shalunov () MCCME RU (stanislav shalunov)
Date: Sun, 8 Mar 1998 03:53:09 GMT
"deraadt" == Theo de Raadt <deraadt () cvs openbsd org> writes:
deraadt> Moreover, Stanislav's patch retained the use of of mktemp(), deraadt> which means his fixed perl can still be denial-of-serviced This is true. You can still DOS Perl after my quick patch (if you win the race). I am afraid that the same might apply to your patch as well, at least on some systems and to some degree. But surely mkstemp() is a better thing to do. deraadt> The correct fix is to use mkstemp(), which is designed to be deraadt> (much more) impervious to these kinds of races. It is. However, on many systems it only tries a finite number of times; if you guess the name every time it open()s you've denied service to the calling program. It is much harder to do (you need to win a lot of races) but theoretically it's possible. So the program still isn't correct in the strict sense. (This does not apply to OpenBSD: its _gettemp() will try forever which is the right thing to do because attacker cannot win an infinite number of races--or to put it more accurately, has probability zero of winning $\aleph_0$ races.) All this complexity of trivial things (just open a temp file) is one of the reasons I think the whole idea of /tmp is a fundamental misdesign and eventually one should be able to chmod it to 755 (while programs should use per-user TMPDIRs).
Current thread:
- another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely Dennis Taylor (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 08)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 08)
- r00t Advisory [ LitterMaid Race Condition ] X (Mar 07)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 08)
- Re: another /tmp race: `perl -e' opens temp file not safely Theo de Raadt (Mar 08)
- Updated list of crypto and security courses Avi Rubin (Mar 09)
- *sigh* another RH5 /tmp problem Mark A. Spencer (Mar 09)
- Re: *sigh* another RH5 /tmp problem Erik Troan (Mar 10)
- Re: Linux libc5 'bug' in mkstemp(). Andreas Jaeger (Mar 10)
- Re: another /tmp race: `perl -e' opens temp file not safely stanislav shalunov (Mar 07)