Date: Sat, 9 Dec 2000 12:08:14 -0500 From: John Hensley <john@sunislelodge.com> To: =?iso-8859-1?Q?Joachim_Str=F6mbergson?= <watchman@ludd.luth.se> Cc: Kris Kennaway <kris@citusc.usc.edu>, audit@FreeBSD.ORG Subject: Re: Project for auditors Message-ID: <20001209120814.A6148@hayduke.sunislelodge.com> In-Reply-To: <3A2141A0.7BF149C4@ludd.luth.se>; from watchman@ludd.luth.se on Sun, Nov 26, 2000 at 06:00:16PM %2B0100 References: <20001124143336.A70550@citusc17.usc.edu> <3A2141A0.7BF149C4@ludd.luth.se>
next in thread | previous in thread | raw e-mail | index | archive | help
At 18:00 +0100 26 November 2000, Joachim Strömbergson <watchman@ludd.luth.se> wrote: > Aloha! > > Kris Kennaway wrote: > > Here's something I just noticed../usr/bin/mail will repeatedly > > create files with the same name from mktemp(), of the form > > /tmp/RsXXXXXX (as well as some others). This needs to be fixed to > > use mkstemp() since theres the very easy to exploit race condition > > there. > > > > Anyone up for it? > > Well, I took a 5 min browse in the code. There are two files in mail > that uses mktemp: temp.c and quit.c. 5 instances from line 79 and > onward in file temp.c, and 1 instance on line 424 in quit.c > > Replacing mktemp() calls with mkstemp() calls was no problem. But > since I don't trust myself on this (yet, hopefully), I'm unsure what I > need to change in the code surrounding the actual call. The man page > describes the NULL vs -1 diffs. I took a look at the patch for > printjob.c and am trying to adapt the way it calls mkstemp(). I took that approach, and then one that was more work, which I'm now feeling silly about, 'cause 1) I should have checked the OpenBSD source first, as they took a similar tack and I could have done it better and saved myself a bunch of time, and 2) I'm thinking simply keeping the descriptors from mkstemp() calls in temp.c open for the life of the program might work better. Either way you fix the mktemp() race, but I think the way OpenBSD did it, there's still the possibility of a DOS, in that you could /usr/bin/mktemp the same patterns and fill /tmp until mail can't create any temporary files. If mail mkstemp()s them at startup, and reopens them correctly (truncating where necessary), which I think is the case, you either get the resources and are good as long as you're running, or you stop immediately. So does anyone more experienced see a reason you'd want to follow OpenBSD and go through all the code and use *really* temporary files everywhere you want one, instead of reusing a set of them that you keep open? > Also, in the quit.c the temp file is deleted by rm(tempname) on line > 448. Should I use unlink() instead? The rm() call in fio.c actually calls unlink, after making sure its target is a real file. John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001209120814.A6148>