[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#286392: autopoint: Insecure temporary directory usage
From: |
Javier Fernández-Sanguino Peña |
Subject: |
Re: Bug#286392: autopoint: Insecure temporary directory usage |
Date: |
Thu, 23 Dec 2004 01:17:21 +0100 |
User-agent: |
Mutt/1.5.6+20040722i |
reopen 286392
thanks
On Wed, Dec 22, 2004 at 07:51:34PM +0100, Santiago Vila wrote:
> Hi.
>
> Martin "Joey" Schulze, from the security team, agree with me that this
> is not really a bug,
I can't comment on that statement since I have not seen that.
> in the sense that we should not be responsible
> for the user's own stupidity.
Then I wonder why both tempdir(), tempfile() and mktemp do not honor the
user's umask and make temporary stuff 0700? There's a simple reason for
this: race conditions are easy to make work since the contents are
predictable, that's actually something that does not happen so easily with
other stuff, I cannot foresee that you will edit a file named abXy.sgml and
take advantage of this, but I can foresee that when you run utility X the
application will make a file named X.
> Javier, if you still think this is a bug, please convince the security
> team before reopening. The default umask in Debian is 022.
> If we wanted to "support" insecure umasks set by the user, we would
> have to report "security bugs" like this one against nearly all
> packages in the archive. I don't think that would be reasonable.
I do not need to convince the security team. _All_ (well, most) temporary
file implementations do not honor insecure umasks. Let's see an example:
(...)
set -C
umask=`umask`
umask 77
tmpfile=`tempfile -p gztmp -d /tmp` || exit 1
if tail +$skip "$0" | /bin/gzip -cd >> $tmpfile; then
umask $umask
/bin/chmod 700 $tmpfile
(...)
That's from /bin/gzexe.
Let's see another: mkdtemp(1) and mkstemp(1) used by mktemp in Debian:
The mkdtemp() function generates a uniquely-named temporary
directory from template. The last six characters of template must be
XXXXXX and these are replaced with a string that makes the directory
name unique.
The directory is then created with permissions 0700.
I can provide more examples if needed be. The way temporary files (and
directories) have been setup in most applications: use obscure filenames so
they are not easily guessable, they prevent others from accessing them by
making them mode 0700 (since there is really no need for other users
besides the one running the application to access those temporary files).
Now, the change is really simple to introduce, it has no caveats, improves
security for some cases and I really see no point in _not_ introducing it.
What do you fear, feature-bloat?
If you will, I can involve the Debian Security Audit team in this to see
what they think about it, but I think Ulf and Steven will have the same
opinion regarding this bug as I do.
Friendly,
Javier
signature.asc
Description: Digital signature