The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

/tmp temp file security problems

To: security@debian.org
Subject: /tmp temp file security problems
From: Topi Miettinen <Topi.Miettinen@ml.tele.fi>
Date: Sun, 13 Jul 1997 23:17:12 +0300
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
Reply-to: Topi Miettinen <Topi.Miettinen@ml.tele.fi>
Resent-cc: recipient list not shown: ;
Resent-date: 13 Jul 1997 21:17:06 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"xKVk81.0.6S6.HNKop"@debian>
Resent-sender: debian-private-request@lists.debian.org
Sender: tom@ml.tele.fi

I think there are several administrative programs that use temporary files
in /tmp without proper checking, resulting in major security holes.

For example, /usr/sbin/paperconfig: a malicious user can destroy any file
by creating 65534 symbolic links in /tmp/.papersize.[2-65535]. Now he only
has to wait for unsuspicious superuser to run paperconfig, which does not
precheck the temp files it creates. Line 97:
    if echo "$1" >/tmp/.papersize.$$

The same problem can be easily seen in many other Debian shell scripts and
binaries. If there are setuid programs with the same problem, even
unsuspicious superuser isn't needed.

Maybe there should be a set of rules for using temp files in security
critical applications. Here are a few suggestions:

1. Setuid programs and those programs run only with privileged uid
(daemons, admin) should not use publicly writable directories for temp
files, instead they should use a dedicated directory with uid only access.
For cases like paperconfig, where the temporary file will ultimately
replace a config file in /etc, /etc/*.conf.$$ might be a good choice.
There's a new problem though, deleting leftover files.

2. Temp files should be created with mode 600. Read access can also be
harmful.

3. A clueful superuser might want to use TMPDIR environment variable,
pointing to a secure place for temp files. If temp files are created with
libc tempnam(), this is automatically used.

One could do clever tricks to check if the temp file does not exist, but I
think this is just asking for race condition, NFS etc. problems.

I'm not a member of this list, so please CC me when you reply.

-Topi


-- 
G? d s++:- a- C++ UL++++ P++++ L++>+++ E W+ N- !o K? w+ !O !M !V PS+
PE++ Y+ PGP++ !t 5? X+ !R tv b++ DI++ !D G+ e+++ h---- r+++ y?



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Eric Raymond on the Free Software Guidelines
Next by Date: Re: Interesting dpkg issue, plus thoughts...
Previous by thread: Re: Eric Raymond on the Free Software Guidelines
Next by thread: load on master?
Index(es):
- Date
- Thread