Re: Insecure use of file in /tmp by trn

[R.E.Wolff () BITWIZARD NL (Rogier Wolff)]

Martin Schulze wrote:
> Rogier Wolff wrote:
> > Martin Schulze wrote:
> > > This was not intentional by the author, he tried to use tempfile(1) to
> > > create the temporary filename.  However, due to a thinko, the name was
> > > hardcoded into the script.
> > [...]
> > > +#NNTPactive=\`tempfile -p active\`   #"/tmp/active.\$\$"
> >
> > So now you're using tempfile? This usually yields an easily
>
> No, but now we're using tempfile in a proper way.  In the original source
> code it was used like:
>
>       NNTPactive=`tempfile -p active`

This is what I meant. You've made it just a teeny bit harder to exploit,
but the same expoit is still there.

10 years ago, this solution would've been adequate. Nowadays everbody
should know that this is very hard to get right. Mover the "bad guys"
already have the exploit programs ready.

Creating a tempfile from a C program is possible since we have a
mkstmp call. It is sufficiently tricky that I wouldn't dare
replicating the functionality myself. Creating a private directory in
/tmp and putting the tempfiles in there might be the only solution for
shell scripts.

                                Roger.

--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------