Bugtraq mailing list archives
Re: /tmp race in mc-4.5.0
From: Marc.Heuse () MAIL DEUBA COM (Marc Heuse)
Date: Thu, 15 Oct 1998 08:25:20 +0200
Hi,
mc 4.5.0 creates a temporary file in /tmp when it's started. It's called talk.fish and has the mode 644. If a user would link the file to /etc/passwd or anything else, when the root would start mc, the file would be erased.It was me who added talk.fish file (and it kind of escaped me, sorry), it is debugging hack and it is currently disabled in my tree (and CVS). Workaround is: create /tmp/talk.fish yourself, so that noone can put symlink there
and remember to disable the tmpdir cleanup script ...
What is worse, they are probably going to stay there until someone invents safe & portable way of how to work with temporary files from shell.
I'd modify your example to: TMPDIR=/tmp/mctmpdir.$$ umask 027 # or 077 rm -rf $TMPDIR mkdir $TMPDIR || exit 1 do_something > $TMPDIR/file do_something_else < $TMPDIR/file rm -rf $TMPDIR
(Actually, is this safe? It might be safe & portable, unfortunately, it is also slow & ugly)
this is safe and portable. another portable way which works on any sh/bash script is creating the files safely before using them for input/output redirection: TMP_FILE_1=/tmp/.mystuff1.$$ rm -rf $TMP_FILE_1 set -o noclobber > $TMP_FILE_1 || exit 1 set +o noclobber but the best and fastest (and not so portable way, but protects better against denial-of-service attacks than the other two) is: TMP_FILE=`mktemp /tmp/.myfileXXXXXX` || exit 1 Mit freundlichen Gruessen, Marc Heuse This message and any statements expressed therein are those of myself and not of the Deutsche Bank AG or its subsidiary companies. Type Bits/KeyID Date User ID pub 2048/DB5C03C5 1997/09/23 Marc Heuse <marc.heuse () mail deuba com> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5 AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1 RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A MuixTDbuf3Jph2jEG6r4Dw== =/n63 -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- Last (hopefully) update on GroupWise Simple Nomad (Oct 10)
- <Possible follow-ups>
- Last (hopefully) update on GroupWise Adrian Voinea (Feb 06)
- /tmp race in mc-4.5.0 Pavel Machek (Oct 12)
- Re: /tmp race in mc-4.5.0 Bennett Todd (Oct 14)
- Re: /tmp race in mc-4.5.0 Marc Heuse (Oct 14)
- [NTSEC] DoS attack in MS - Proxy 2.0 Jason Garms (Oct 15)
- IRIX xterm(1) exploitable buffer overflow SGI Security Coordinator (Oct 15)
- IRIX Xaw library exploitable buffer overflow SGI Security Coordinator (Oct 15)
- Microsoft Security Bulletin (MS98-015) Aleph One (Oct 16)
- HP-UX 10.20 SharedX Receiver Service DoS Security Research Team (Oct 16)
- Breaking Finger in AIX 4.2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (Oct 20)
- Re: Breaking Finger in AIX 4.2 Troy A. Bollinger (Oct 20)
- Alert: IE 4.0 Security Zone compromise Aleph One (Oct 20)
- /tmp race in mc-4.5.0 Pavel Machek (Oct 12)
- Re: Annoying Solaris/CDE/NIS+ bug Frank Cusack (Oct 13)