texmacs-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Texmacs-dev] Secure creation of temporary files

From: david
Subject: [Texmacs-dev] Secure creation of temporary files
Date: Thu, 13 Feb 2003 11:20:57 +0100
User-agent: Mutt/1.4i 
On Wed, Feb 12, 2003 at 02:48:26PM -0600, Joris Van der Hoeven wrote:

> I don't know how to handle 1789.

The discussion on the bug tracker is really of general interest (to
developers) so I think we should better have it here.

The point is: texmacs currently uses tmpname to create temporary
files. This function returns an unusued file name in /tmp, a temporary
file is later created with that name. It is recommanded to use tmpfile
instead to atomically create a temporary file. Files created by
tmpfile are deleted when the file is closed.

The problem with that is texmacs use temporary file names as output
file name in shell scripts executed by the 'system' command. According
to Igor, since tmpfile returns a FILE handle, the file name is
accessible so that should not be a problem, but Joris seems
uncomfortable about that (maybe I overlooked something).

Another way to work around tmp file name vulnerability would be to
create files in user-only accessible directory (say ~/.TeXmacs/tmp)
with appropriate privileges. That is secure as long as the software is
not setuid. Otherwise a malicious program (unknowingly) run by the
user could try to exploit the vulnerability. However no one should
ever run TeXmacs as root. However experience shows that some people
actually do that :-(

Additionnaly creating tmp files in ~/.TeXmacs/tmp is not such a good
thing because it defeats automatic cleanup of /tmp and can quickly
increase the entropy of the /home file system, which is generally used
for long-lasting files.

Here is a related discussion (I just saw it was relevant, I do not
actually took the time to understand what is was about):

http://lwn.net/1998/0312/newtmp.html

Also here is an example exploit for an old gcc vulnerability.

http://lwn.net/1998/0226/symlink.html

Generally tmp exploits use the race condition created by the time
between the moment when the file name is computed (and known to be
unused) and when it is actually used (and no longer garanteed to be
unused). This race condition is made easier to exploit when the file
name is easy to guess, which happens when most free chars in the name
are taken by the PID of the creating process.

The following message give simple and practical rules of thumb to /tmp
safety.

http://lwn.net/2000/1221/a/sec-tmp.php3

However, note that this message does not mention tmpfile which is more
portable and seems more versatile than mkstemp and mkdtemp.

Bottom line: what is the problem with tmpfile?

-- 
David Allouche         | GNU TeXmacs -- Writing is a pleasure
Free software engineer |    http://www.texmacs.org
   http://ddaa.net     |    http://alqua.com/tmresources
   address@hidden  |    address@hidden
TeXmacs is NOT a LaTeX front-end and is unrelated to emacs.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]