oss-sec mailing list archives
Re: Security risk of vim swap files
From: Solar Designer <solar () openwall com>
Date: Mon, 6 Nov 2017 21:00:50 +0100
On Sun, Nov 05, 2017 at 10:15:44PM -0800, Ian Zimmerman wrote:
On 2017-11-01 19:12, Solar Designer wrote:On Wed, Nov 01, 2017 at 07:02:22PM +0100, Jakub Wilk wrote:Unfortunately, glibc's implementation of tmpfile(3), which is the most fool-proof interface for dealing with temporary files that the C library offers, doesn't honour TMPDIR. :(We've been carrying a patch for this for ages:Do you know why this has not been changed upstream?
I did not, but to try and answer your question I just found this: https://cygwin.com/ml/libc-alpha/1999-04/msg00075.html | Re: Why doesn't tmpfile() honor $TMPDIR? | | To: Joel Klecker <espy () debian org> | Subject: Re: Why doesn't tmpfile() honor $TMPDIR? | From: Ulrich Drepper <drepper () cygnus com> | Date: 29 Apr 1999 12:24:15 -0700 | Cc: libc-alpha () cygnus com | | Joel Klecker <espy () debian org> writes: | | > In stdio-common/tmpfile{,64}.c, __path_search is called with the | > fifth argument set to 0, which causes tmpfile(), and tmpfile64() to | > use P_tmpdir. | > | > Is there a particular reason why tmpfile() and tmpfile64() should not | > be changed to call __path_search with the fifth argument set to 1, so | > that the functions do honor $TMPDIR? | | Yes: | | - compatibility with other systems and earlier versions | | - newly introduced security risks | | > I am asking because there is a long-standing bug | > (http://www.debian.org/Bugs/db/12/12240.html) in the Debian Bug | > Tracking System regarding this. | | This is no bug in glibc. In that Debian bug, we see this comment: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=12240#45 | From: Topi Miettinen <Topi.Miettinen () medialab sonera net> | To: 12240 () bugs debian org | Cc: Ian Jackson <ian () chiark greenend org uk> | Subject: Re: Bug#12240: patch | Date: Tue, 07 Jul 1998 23:20:08 +0300 | | There are two parts in the patch, one for tmpfile() use and other for | tmpnam(). | | Regarding tmpfile(), I checked K&R, Stevens, Donald Lewine's "POSIX | Programmer's Guide", and Solaris manual page and they all agree with glibc | documentation in that nothing is guaranteed. Fixing this in glibc is | trivial, by changing fifth argument of __stdio_gen_tempname call from 0 to | 1 in stdio-common/tmpfile.c. This will cause security problems with setuid | programs using tmpfile(), though. Apparently, the security risks and problems mentioned are that people were concerned this change would result in SUID programs (and/or their children - e.g., a command run via sudo) honoring TMPDIR in their tmpfile(3) calls - however, that is not in any way specific to tmpfile(3), and it should be addressed for all such places in glibc similarly. I don't know what state glibc was in with regard to honoring, ignoring, or unsetting TMPDIR in SUID programs in 1998-1999. Maybe those concerns were valid at the time, but if so it means glibc had other instances of the issue.
Do you know of any programs that break with this change?
No. Alexander
Current thread:
- Re: Fw: Security risk of vim swap files, (continued)
- Re: Fw: Security risk of vim swap files Tim (Oct 31)
- Re: Fw: Security risk of vim swap files Steffen Nurpmeso (Oct 31)
- Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)
- Re: Fw: Security risk of vim swap files Simon McVittie (Nov 01)
- Re: Fw: Security risk of vim swap files Tim (Nov 01)
- Re: Fw: Security risk of vim swap files Jeffrey Walton (Nov 01)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 01)
- Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
- Re: Fw: Security risk of vim swap files Solar Designer (Nov 01)
- Re: Security risk of vim swap files Ian Zimmerman (Nov 06)
- Re: Security risk of vim swap files Solar Designer (Nov 06)
- Re: Security risk of vim swap files Jakub Wilk (Nov 06)
- Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
- Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)
- Re: Fw: Security risk of vim swap files Jan Pokorný (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Michael Orlitzky (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Florent Rougon (Nov 01)