From owner-freebsd-bugs@FreeBSD.ORG Tue Feb 14 01:10:15 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F38581065678 for ; Tue, 14 Feb 2012 01:10:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B19E58FC13 for ; Tue, 14 Feb 2012 01:10:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q1E1AETX079133 for ; Tue, 14 Feb 2012 01:10:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q1E1AEjv079132; Tue, 14 Feb 2012 01:10:14 GMT (envelope-from gnats) Resent-Date: Tue, 14 Feb 2012 01:10:14 GMT Resent-Message-Id: <201202140110.q1E1AEjv079132@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, grarpamp Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 171D01065673 for ; Tue, 14 Feb 2012 01:09:01 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 028DA8FC08 for ; Tue, 14 Feb 2012 01:09:01 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q1E190js076200 for ; Tue, 14 Feb 2012 01:09:00 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q1E190LU076199; Tue, 14 Feb 2012 01:09:00 GMT (envelope-from nobody) Message-Id: <201202140109.q1E190LU076199@red.freebsd.org> Date: Tue, 14 Feb 2012 01:09:00 GMT From: grarpamp To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: bin/165120: ed and sed - tmp file handling - security and location X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2012 01:10:15 -0000 >Number: 165120 >Category: bin >Synopsis: ed and sed - tmp file handling - security and location >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 14 01:10:14 UTC 2012 >Closed-Date: >Last-Modified: >Originator: grarpamp >Release: HEAD >Organization: >Environment: HEAD >Description: # /bin/ed has no means to relocate its temp file. Absent other administrative solutions, this often leads to a full /tmp. # /usr/bin/sed has legacy/poor temp file handling. Should be updated to use mkstemp(3) so as to be more secure and therefore less clobberish. Fix for both (add all three): a) Add environment: TMPDIR b) Add argument: -t Takes precedence over environment. c) Change the default to: mkstemp(realpath(.XXXXXX)) The directory that the file being edited resides in, and is naturally expected to be writable and have sufficient free space. Make tmp file named after if possible so as to be recognizable if crash cleanup is needed. ## line no's are for RELENG_8, topic applies to 8/9/HEAD # /bin/ed buf.c:191:char sfn[15] = ""; /* scratch file name */ buf.c:202: strcpy(sfn, "/tmp/ed.XXXXXX"); buf.c:203: if ((fd = mkstemp(sfn)) == -1 || # /usr/bin/sed main.c:114:static char tmpfname[PATH_MAX]; /* Temporary file name (for in-place editing) */ main.c:360: unlink(tmpfname); main.c:398: len = snprintf(tmpfname, sizeof(tmpfname), main.c:399: "%s/.!%ld!%s", dirname(fname), (long)getpid(), main.c:400: basename(fname)); >How-To-Repeat: Have space contention in /tmp. Have security race or filename collision. >Fix: See above. >Release-Note: >Audit-Trail: >Unformatted: