[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: many packages write to `temporary-file-directory' insecurely

From: Stefan Monnier
Subject: Re: many packages write to `temporary-file-directory' insecurely
Date: Tue, 05 Mar 2002 10:15:50 -0500

> My solution is to first write the scores securely into a temp file and
> then move it to the desired place.  This is safe, because if someone
> has made the destination filename a symbolic link, then the rename
> system call removes the link, rather than overwriting the linked-to file.

The idea is alright, but:

> This requires storing the file in a subdirectory of /tmp that is
> world-writable without restriction, as opposed to /tmp itself, which
> normally has its sticky bit set, thus forbidding people from deleting
> others' files or renaming over them.

This creates another problem, which comes from the fact that Emacs does
not have the notion of file descriptor: an attacker can change the
temp file into a symlink between the call to make-temp-file and the call
to write-region.

I really think it's better to require that the parent directory
of the file we're writing to is only writable by ourselves and/or
by root.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]