From owner-freebsd-audit Sat Dec 9 9: 8:23 2000 From owner-freebsd-audit@FreeBSD.ORG Sat Dec 9 09:08:21 2000 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from heimdal.sunislelodge.com (dsl081-027-221-sea1.dsl-isp.net [64.81.27.221]) by hub.freebsd.org (Postfix) with ESMTP id EFC5237B400 for ; Sat, 9 Dec 2000 09:08:20 -0800 (PST) Received: from hayduke.sunislelodge.com (hayduke.sunislelodge.com [192.168.32.2]) by heimdal.sunislelodge.com (Postfix) with ESMTP id 2EAA66C802; Sat, 9 Dec 2000 12:08:36 -0500 (EST) Received: by hayduke.sunislelodge.com (Postfix, from userid 1000) id 584941B221; Sat, 9 Dec 2000 12:08:14 -0500 (EST) Date: Sat, 9 Dec 2000 12:08:14 -0500 From: John Hensley To: =?iso-8859-1?Q?Joachim_Str=F6mbergson?= Cc: Kris Kennaway , audit@FreeBSD.ORG Subject: Re: Project for auditors Message-ID: <20001209120814.A6148@hayduke.sunislelodge.com> References: <20001124143336.A70550@citusc17.usc.edu> <3A2141A0.7BF149C4@ludd.luth.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2i In-Reply-To: <3A2141A0.7BF149C4@ludd.luth.se>; from watchman@ludd.luth.se on Sun, Nov 26, 2000 at 06:00:16PM +0100 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 18:00 +0100 26 November 2000, Joachim Strömbergson wrote: > Aloha! > > Kris Kennaway wrote: > > Here's something I just noticed../usr/bin/mail will repeatedly > > create files with the same name from mktemp(), of the form > > /tmp/RsXXXXXX (as well as some others). This needs to be fixed to > > use mkstemp() since theres the very easy to exploit race condition > > there. > > > > Anyone up for it? > > Well, I took a 5 min browse in the code. There are two files in mail > that uses mktemp: temp.c and quit.c. 5 instances from line 79 and > onward in file temp.c, and 1 instance on line 424 in quit.c > > Replacing mktemp() calls with mkstemp() calls was no problem. But > since I don't trust myself on this (yet, hopefully), I'm unsure what I > need to change in the code surrounding the actual call. The man page > describes the NULL vs -1 diffs. I took a look at the patch for > printjob.c and am trying to adapt the way it calls mkstemp(). I took that approach, and then one that was more work, which I'm now feeling silly about, 'cause 1) I should have checked the OpenBSD source first, as they took a similar tack and I could have done it better and saved myself a bunch of time, and 2) I'm thinking simply keeping the descriptors from mkstemp() calls in temp.c open for the life of the program might work better. Either way you fix the mktemp() race, but I think the way OpenBSD did it, there's still the possibility of a DOS, in that you could /usr/bin/mktemp the same patterns and fill /tmp until mail can't create any temporary files. If mail mkstemp()s them at startup, and reopens them correctly (truncating where necessary), which I think is the case, you either get the resources and are good as long as you're running, or you stop immediately. So does anyone more experienced see a reason you'd want to follow OpenBSD and go through all the code and use *really* temporary files everywhere you want one, instead of reusing a set of them that you keep open? > Also, in the quit.c the temp file is deleted by rm(tempname) on line > 448. Should I use unlink() instead? The rm() call in fio.c actually calls unlink, after making sure its target is a real file. John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message