bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] tests/syslogd.sh and /tmp


From: Simon Josefsson
Subject: Re: [bug-inetutils] tests/syslogd.sh and /tmp
Date: Thu, 19 Jan 2012 09:01:46 +0100
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux)

address@hidden (Ludovic Courtès) writes:

> Hello,
>
> tests/syslogd.sh requires a writable /tmp.

Looking further at that test, it seems buggy from another point of view
as well: the filenames are prone to a race condition when two or more
InetUtils instances is built at the same time.  The filenames used are:

# This good name base consumes twentythree chracters.
IU_GOOD_BASE=/tmp/$(date +%y-%m-%d)_socket_iu
# Add a single character to violate the size condition.
IU_BAD_BASE=/tmp/X$(date +%y-%m-%d)_socket_iu

Further, having predictable filenames has often been used by non-root
users to mount a privilege-escalation attack (just wait until the root
user runs the script), but I haven't reviewed the script if it has this
problem as well.

Normal practice is to use 'mktemp'.

> The workaround I’ve used in Guile is to cd $TMPDIR, create ./my-socket,
> and use that.

I would prefer a mktemp+cd approach.  It is the most secure, follows
best practices, and is the most portable.

/Simon



reply via email to

[Prev in Thread] Current Thread [Next in Thread]