[6254] in bugtraq
Re: another /tmp race: `perl -e' opens temp file not safely
daemon@ATHENA.MIT.EDU (stanislav shalunov)
Sun Mar 8 00:50:57 1998
Date: Sun, 8 Mar 1998 03:53:09 GMT
Reply-To: stanislav shalunov <shalunov@MCCME.RU>
From: stanislav shalunov <shalunov@MCCME.RU>
X-To: deraadt@cvs.openbsd.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199803080206.TAA19726@cvs.openbsd.org> (message from Theo de
Raadt on Sat, 07 Mar 1998 19:06:25 -0700)
>>>>> "deraadt" == Theo de Raadt <deraadt@cvs.openbsd.org> writes:
deraadt> Moreover, Stanislav's patch retained the use of of mktemp(),
deraadt> which means his fixed perl can still be denial-of-serviced
This is true. You can still DOS Perl after my quick patch (if you win
the race). I am afraid that the same might apply to your patch as
well, at least on some systems and to some degree. But surely
mkstemp() is a better thing to do.
deraadt> The correct fix is to use mkstemp(), which is designed to be
deraadt> (much more) impervious to these kinds of races.
It is. However, on many systems it only tries a finite number of
times; if you guess the name every time it open()s you've denied
service to the calling program. It is much harder to do (you need to
win a lot of races) but theoretically it's possible. So the program
still isn't correct in the strict sense. (This does not apply to
OpenBSD: its _gettemp() will try forever which is the right thing to
do because attacker cannot win an infinite number of races--or to put
it more accurately, has probability zero of winning $\aleph_0$ races.)
All this complexity of trivial things (just open a temp file) is one
of the reasons I think the whole idea of /tmp is a fundamental
misdesign and eventually one should be able to chmod it to 755 (while
programs should use per-user TMPDIRs).
