Secure Coding mailing list archives
temporary directories
From: ljknews at mac.com (ljknews)
Date: Sat, 30 Dec 2006 13:25:58 -0500
At 8:45 AM -0500 12/30/06, Leichter, Jerry wrote:
[MJoderator: This is likely beyond the point of general interest to sc-l]
Actually, I disagree, in that it seems to expose a set of vulnerabilities not known even to language implementors.
On Fri, 29 Dec 2006, ljknews wrote:
| But these are problems that have been solved by those who provided the | Ada implementation (ACT and Aonix come to mind for Unix), and thus are | not an issue for the high level language programmer.
Presumably they do the create-the-file-and-immediately-delete-it trick. Since the file must, however briefly, have an entry in some directory. General purpose code can't make assuptions about what directories are available for writing, so pretty much has to put the entry in a known, public place - almost always /tmp or /var/tmp. Unless one does this very carefully, it's open to various attacks. (For one trivial example, there is no way to tell the open() call to *always* create a new file - you can only tell it "if the file already exists, don't open it, return an error instead". The code had better check for that error and do something appropriate or it can be fooled into using a file an attacker created and already has access to.)
Certainly code that does not check for errors is inadequate.
The techniques for doing this are complex enough - and the attacks if you don't do it *exactly* right obscure enough - that after all these years, attacks based on "insecure temporary file creation" are still reported regularly. (Frankly, even though I know that these problems exist, if you were to ask me to write a secure temporary file creator right now, I wouldn't try - I'd look for some existing code, because I doubt I'd get it right.)
Which is what one does when using the existing language implementation (except for the defect reported by Florian Weimer in this thread. -- Larry Kilgallen
Current thread:
- Compilers, (continued)
- Compilers James Walden (Dec 22)
- Compilers SC-L Subscriber Dave Aronson (Dec 27)
- Compilers Leichter, Jerry (Dec 27)
- Compilers David A. Wheeler (Dec 28)
- Compilers Leichter, Jerry (Dec 29)
- temporary directories Robert C. Seacord (Dec 29)
- temporary directories ljknews (Dec 29)
- temporary directories Leichter, Jerry (Dec 29)
- temporary directories ljknews (Dec 29)
- temporary directories Leichter, Jerry (Dec 30)
- temporary directories ljknews (Dec 30)
- temporary directories Florian Weimer (Dec 30)
- temporary directories ljknews (Dec 30)
- Compilers Leichter, Jerry (Dec 29)
- temporary directories der Mouse (Dec 29)
- temporary directories Mark Rockman (Dec 30)