Date: Sat, 13 Jan 1996 23:40:01 -0800 (PST) From: Bruce Evans <bde@zeta.org.au> To: freebsd-bugs Subject: Re: ports/944: Security fixes for Fvwm 1.24r Message-ID: <199601140740.XAA19336@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/944; it has been noted by GNATS.
From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.org, smpatel@sl-009.sl.cybercomm.net
Cc: Subject: Re: ports/944: Security fixes for Fvwm 1.24r
Date: Sun, 14 Jan 1996 18:31:18 +1100
>>Description:
>Security problems with mktemp race condition.
>From Linux Security FAQ Update #10
>There is a good bit of stuff done between the mktemp() and the actual usage of
>the temporary file, so this bug is not very difficult to exploit. This bug
>could allow another local user to execute commands as you, when you start FVWM.
BSD provides mkstemp() to handle this problem properly. I'm not sure of
it's history, but it is old enough to be in FreeBSD-1.1.5.
I tried exploiting the bug in mktemp() pointed out by Josh the other day
(mk[s]temp() uses stat(), not lstat(), so mktemp() can return a filename
that is a symlink. This doesn't seem to be a problem for mkstemp()
since O_EXCL in the open flags stop all (?) existing directory entries
from being openable).
>+ /* make a directory to guard against following symlinks */
>+ if (mkdir(tmp_name, 0700) != 0) {
>+ perror("exclusive open for tmp_name failed in m4_defs");
>+ exit(0377);
>+ }
>+ strcat(tmp_name, "/data"); /* what actual tmp file is to be called */
I think the O_EXCL method is better. Except of course if you really
want a directory or another type of non-regular file. It's surprisingly
hard to get the interface for temporary file [name] creation right.
FreeBSD has 5 BAD interfaces: tempnam(), tmpfile(), tmpnam(), mktemp()
and mkstemp().
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601140740.XAA19336>