RE: tmp issues: trap before making safe tmp and no change directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeremy,
 
  Rather than using another value for the "needsCleanup" variable, why not use the test of the existance of "$tmpdir" as the value for your "needsCleanup" value?  I.e. replace "$needsCleanup" with a subroutine that returns "true" if the "$tmpdir" exists?  Is there a bad race condition here?
 
Dan

	-----Original Message----- 
	From: Jeremy C. Reed [mailto:reed@xxxxxxxxxxxxx] 
	Sent: Tue 10/28/2003 2:38 PM 
	To: security-discuss@xxxxxxxxxxxxxxxxx 
	Cc: 
	Subject: tmp issues: trap before making safe tmp and no change directory
	
	

	I am working on updating tetex2-bin for a packages collection (pkgsrc). I
	already reported one tmp unsafe issue in xdvizilla that has been fixed in
	xdvi/xdvik/texk/xdvik CVS (hopefully that covers tetex-src too).
	
	Anyways, I had some questions I'd like comments on.
	
	I have seen many scripts that set up tmp files with a trap before. This
	sets up a trap to delete the directory before the directory is even
	created. In a very rare condition, if signal 1 2 3 7 13 or 15 hit it then
	the directory will be removed before even checked.
	
	For example:
	
	  cleanup()
	  {
	    rc=$?
	    $needsCleanup && test -n "$tmpdir" && test -d "$tmpdir" \
	      && { rm -f "$tmpdir"/*; cd /; rmdir "$tmpdir"; }
	    exit $rc
	  }
	  setupTmpDir()
	  {
	    $needsCleanup && return
	
	    trap 'cleanup' 1 2 3 7 13 15
	    needsCleanup=true
	
	*** what if signal hits here, so trap does cleanup on tmpdir which was
	symlinked to your important files ***
	
	    (umask 077; mkdir "$tmpdir") \
	      || abort "could not create directory \`$tmpdir'"
	  }
	...
	  tmpdir=${TMP-/tmp}/$progname.$$
	  setupTmpDir
	  cd "$tmpdir" || {
	    false  # some systems need this to set nonzero $?
	    cleanup
	  }
	
	
	
	Maybe that doesn't matter because a user who could make the tmp symlinks
	may not be able to force the signals to that script. What do you think?
	(I think the shell traps should be setup after just in case of some
	random event.)
	
	
	Also, I have seen several scripts that use tempfiles like abc.$$ but are
	used under some non-world-writable directory. This is usually okay and
	common. But some scripts may create the the full tmp file name based on a
	command-line argument or the path/to/executable. Due to poor judgment or
	accidently wrong usage the script with base tmp file usage could be used
	in a directory (or reference a directory) that is world-writable.
	
	I believe that all tmp$$ style usage should use safe tmp file creation if
	the possible location is not forced. What do you think?
	
	
	Any good documents about the above? (That I could use as references if I
	choose to report these.)
	
	   Jeremy C. Reed
	   http://bsd.reedmedia.net/
	
	------------------------------------------------------------------------
	     To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx
	         with "unsubscribe" in the subject of the message.
	
	

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿN‹§²æìr¸›yé[rêâ·/ÝÇ.²Ïëz«ž²ßåŠ{±±ç.®+rýÊ&Â+aþéì®&Þþ)í…ë.n7œ¶‡í…éÆ


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux