Re: usb_modeswitch/pppd -detach

[Jeffrey Walton <noloader () gmail com>]

On Mon, Jan 23, 2012 at 11:02 AM,  <Valdis.Kletnieks () vt edu> wrote:
> On Sun, 22 Jan 2012 02:38:57 GMT, "Larry W. Cashdollar" said:
>
> > This is still a race condition since the pid can be guessed easily as well.  It's better to use mktemp 
> > /tmp/debug.XXXXXXXXXX.
>
> No, that's *still* beatable, because if you know what the PID will be you can
> guess what the XXXX will be filled in with (it's basically just salted with the
> contents of the target directory, so anybody who can do a readdir() and can
> guess the pid can predict the value).  What you *want* to do is read the mktemp
> documentation and find this example on how to put the file into a securely
> created subdirectory rather than directly in /tmp:
>
>   * Create a secure fifo relative to the user's choice of `TMPDIR',
>     but falling back to the current directory rather than `/tmp'.
>     Note that `mktemp' does not create fifos, but can create a secure
>     directory in which the fifo can live.  Exit the shell if the
>     directory or fifo could not be created.
>          $ dir=$(mktemp -p "${TMPDIR:-.}" -d dir-XXXX) || exit 1
>          $ fifo=$dir/fifo
>          $ mkfifo "$fifo" || { rmdir "$dir"; exit 1; }
mkstemp or mkdtemp within $HOME? Taken directly from "Secure
Programming for Linux and Unix HOWTO"
(http://www.dwheeler.com/secure-programs/).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/