Re: Insecure use of file in /tmp by trn

[joey () FINLANDIA INFODROM NORTH DE (Martin Schulze)]

Rogier Wolff wrote:
> > > > This was not intentional by the author, he tried to use tempfile(1) to
> > > > create the temporary filename.  However, due to a thinko, the name was
> > > > hardcoded into the script.
> > > [...]
> > > > +#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"
> > >
> > > So now you're using tempfile? This usually yields an easily
> >
> > No, but now we're using tempfile in a proper way.  In the original source
> > code it was used like:
> >
> >     NNTPactive=`tempfile -p active`
>
> This is what I meant. You've made it just a teeny bit harder to exploit,
> but the same expoit is still there.
>
> 10 years ago, this solution would've been adequate. Nowadays everbody
> should know that this is very hard to get right. Mover the "bad guys"
> already have the exploit programs ready.
>
> Creating a tempfile from a C program is possible since we have a
> mkstmp call. It is sufficiently tricky that I wouldn't dare

I'm sorry, but I don't understand.  tempfile is a C program that creates
a tempfile.

DESCRIPTION
       tempfile  creates  a  temporary file in a safe manner.  It
       uses tempnam(3) to choose  the  name  and  opens  it  with
       O_RDWR  |  O_CREAT  |  O_EXCL.  The filename is printed on
       standard output.

> replicating the functionality myself. Creating a private directory in
> /tmp and putting the tempfiles in there might be the only solution for
> shell scripts.

In which case you only make things more difficult to exploit, since such
a directory would be guessable as well as a tempfilename would, same for
the file inside of it.

Regards,

        Joey

--
Whenever you meet yourself you're in a time loop or in front of a mirror.