[13628] in bugtraq
Re: Tempfile vulnerabilities
daemon@ATHENA.MIT.EDU (Dug Song)
Tue Feb 1 14:24:17 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.10001311532310.11540-100000@funky.monkey.org>
Date: Mon, 31 Jan 2000 15:44:36 -0500
Reply-To: Dug Song <dugsong@MONKEY.ORG>
From: Dug Song <dugsong@MONKEY.ORG>
X-To: foo <foo@BLACKLISTED.INTRANOVA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.10.10001302253420.89123-100000@blacklisted.intranova.net>
On Sun, 30 Jan 2000, foo wrote:
> This weekend I decided to play around with a couple of network
> management tools on securityfocus.com ... upon review of the source, I
> noticed a bad trend. Both tools handle temporary files insecurely.
the l0pht's tempwatch tool is useful in rooting out such problems.
http://www.l0pht.com/advisories/watch.txt
(or /usr/ports/security/tempwatch on OpenBSD)...
> - Check for the existence of your temporary file before you do anything
> with it:
>
> $SECUREDIR=/home/blah
> $tmpfile=$SECUREDIR/t.$$
> if [ -e $tmpfile ]; then
> echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf
> $tmpfile
> fi
you still have an exploitable race here.
a better way around this (esp. for program with many tmp files) is to use
a temporary directory instead, as in OpenBSD's /etc/security script:
umask 077
DIR=/tmp/_secure$$
TMP1=$DIR/_secure2
TMP2=$DIR/_secure3
if ! mkdir $DIR ; then
printf "tmp directory %s already exists, looks like:\n" $DIR
ls -alF $DIR
exit 1
fi
trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15
or if you're using OpenBSD, use the mktemp(1) program in your scripts:
http://www.openbsd.org/cgi-bin/man.cgi?query=mktemp
-d.
---
http://www.monkey.org/~dugsong/
