Date: Sun, 11 Mar 2001 15:14:44 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Greg White <gregw-freebsd-security@greg.cex.ca> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: temp files for security/logcheck Message-ID: <20010311151444.A69514@mollari.cthul.hu> In-Reply-To: <20010310230843.A26101@greg.cex.ca>; from gregw-freebsd-security@greg.cex.ca on Sat, Mar 10, 2001 at 11:08:43PM -0800 References: <200103110435.f2B4ZHw04676@ns1.unixathome.org>; <20010310234519.A68252@databits.net> <200103110447.f2B4lww04741@ns1.unixathome.org> <20010310225345.A14180@mollari.cthul.hu> <20010310230843.A26101@greg.cex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 10, 2001 at 11:08:43PM -0800, Greg White wrote: > On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote: > > On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote: > > > AFAIK, the files disappear each time the script is run: > > >=20 > > > umask 077 > > > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$=20 > >=20 > > [...] > >=20 > > Blah, that's an insecure way to create files in $TMPDIR (which is > > usually /tmp). It needs to use mktemp(1). > >=20 > > Kris >=20 > It is in general, but not in this case. The script and the directory are > mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is > explicitly set. Okay..I was missing context: $TMPDIR is usually inherited from the user's environment and points to /tmp or whatever their preferred temporary file directory is. I don't like the use of /usr/local for temporary file storage -- that may be on a readonly filesystem. The script needs to use mktemp -d -t to create itself a secure directory to play in. Kris --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rAbkWry0BWjoQKURAmBUAKCWYbz6ncb2+HN7x3IAYoKtO/qQTACgiOuM 9gCN4FYBw/UbhK90b/+ZTkc= =KwUc -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010311151444.A69514>