Bugtraq mailing list archives

Re: /tmp race in mc-4.5.0

From: Marc.Heuse () MAIL DEUBA COM (Marc Heuse)
Date: Thu, 15 Oct 1998 08:25:20 +0200

Hi,

mc 4.5.0 creates a temporary file in /tmp when it's started.
It's called talk.fish and has the mode 644. If a user would link the
file to /etc/passwd or anything else, when the root would start mc, the
file would be erased.

It was me who added talk.fish file (and it kind of escaped me, sorry),
it is debugging hack and it is currently disabled in my tree (and
CVS). Workaround is:
create /tmp/talk.fish yourself, so that noone can put symlink there


and remember to disable the tmpdir cleanup script ...

What is worse, they are probably going to
stay there until someone invents safe & portable way of how to work
with temporary files from shell.


I'd modify your example to:

        TMPDIR=/tmp/mctmpdir.$$
        umask 027       # or 077
        rm -rf $TMPDIR
        mkdir $TMPDIR || exit 1
        do_something > $TMPDIR/file
        do_something_else < $TMPDIR/file
        rm -rf $TMPDIR

(Actually, is this safe? It might be safe & portable, unfortunately,
it is also slow & ugly)


        this is safe and portable.
        another portable way which works on any sh/bash script is
        creating the files safely before using them for input/output
        redirection:

        TMP_FILE_1=/tmp/.mystuff1.$$
        rm -rf $TMP_FILE_1
        set -o noclobber
        > $TMP_FILE_1 || exit 1
        set +o noclobber

        but the best and fastest (and not so portable way, but protects
        better against denial-of-service attacks than the other two) is:

        TMP_FILE=`mktemp /tmp/.myfileXXXXXX` || exit 1




Mit freundlichen Gruessen,
                                Marc Heuse


This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.



Type Bits/KeyID    Date       User ID
pub  2048/DB5C03C5 1997/09/23 Marc Heuse <marc.heuse () mail deuba com>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzQnbFEAAAEIAL/tj4hn/DVjEWAZhuqRdxZQDy5B+gZbE0CD/mUnZqpem+9L
KY+I8te7jMfTQExzqn5jYb5BaibT0SbEBWSx9Gha8EiBLAVcAjvrXpV+HJLcnPRG
YDk5a3s7GrA+QVHbbd9DWgqjMfUMw9oUDAhhjgK20SeOtFGBD2U17GkQF6TK7EjC
CTOuz2Hx/tisDuroJJnxZdbLNvCceOf/D/bbFcR7DfnEJWJ3f9JC4fibZMlX5rXL
Ct/TKhZMd4d42uL7L4KvkT5JCnFuEw1jRDPpBjZ030cK2uWCM//iEVLGmGKOs6Pg
o3Lfnnd6I6bTPHgrNsapNWmocbIGDC/4w9tcA8UABRG0Jk1hcmMgSGV1c2UgPG1h
cmMuaGV1c2VAbWFpbC5kZXViYS5jb20+iQEVAwUQNCdsUQwv+MPbXAPFAQFWEwf5
AWt6PbKLLCCBPnzBMdXatKEJvNzrZRXNSpbgKQUDAKApRUnOkDJ9yp3tfJG0/BsL
XBf+ldmjjoo/OZeWhIhNb71bbCs8BK7/YK5LKef2eq4pzSiWYosrOfjlfyOVhAiP
AiWYtK/HBELy6Zs8QwoPX0QX0+R2+ocMS0TDz7nwBgO5wcj3yMU0geTrnlDpJdj1
RgFQLE6T9qO5coRjj1EAoT5gQMxP9L4TQuifYiQ6S2vh6blr3amjPohKSDzZ62/x
rQ1KMXJd7MlMQndn8UwKt4XgoFIsZOFRrkDiXfm6zFnH40UcotoA+Ygojp52+Y6A
MuixTDbuf3Jph2jEG6r4Dw==
=/n63
-----END PGP PUBLIC KEY BLOCK-----

Current thread:

Last (hopefully) update on GroupWise Simple Nomad (Oct 10)
- <Possible follow-ups>
- Last (hopefully) update on GroupWise Adrian Voinea (Feb 06)
  - /tmp race in mc-4.5.0 Pavel Machek (Oct 12)
    - Re: /tmp race in mc-4.5.0 Bennett Todd (Oct 14)
    - Re: /tmp race in mc-4.5.0 Marc Heuse (Oct 14)
    - [NTSEC] DoS attack in MS - Proxy 2.0 Jason Garms (Oct 15)
    - IRIX xterm(1) exploitable buffer overflow SGI Security Coordinator (Oct 15)
    - IRIX Xaw library exploitable buffer overflow SGI Security Coordinator (Oct 15)
    - Microsoft Security Bulletin (MS98-015) Aleph One (Oct 16)
    - HP-UX 10.20 SharedX Receiver Service DoS Security Research Team (Oct 16)
    - Breaking Finger in AIX 4.2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (Oct 20)
    - Re: Breaking Finger in AIX 4.2 Troy A. Bollinger (Oct 20)
    - Alert: IE 4.0 Security Zone compromise Aleph One (Oct 20)
  - Re: Annoying Solaris/CDE/NIS+ bug Frank Cusack (Oct 13)