[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: many packages write to `temporary-file-directory' insecurely
From: |
Al Petrofsky |
Subject: |
Re: many packages write to `temporary-file-directory' insecurely |
Date: |
Tue, 5 Mar 2002 11:57:45 -0800 |
> From: "Stefan Monnier" <monnier+gnu/address@hidden>
>
> > My solution is to first write the scores securely into a temp file and
> > then move it to the desired place. This is safe, because if someone
> > has made the destination filename a symbolic link, then the rename
> > system call removes the link, rather than overwriting the linked-to file.
>
> The idea is alright, but:
>
> > This requires storing the file in a subdirectory of /tmp that is
> > world-writable without restriction, as opposed to /tmp itself, which
> > normally has its sticky bit set, thus forbidding people from deleting
> > others' files or renaming over them.
>
> This creates another problem, which comes from the fact that Emacs does
> not have the notion of file descriptor: an attacker can change the
> temp file into a symlink between the call to make-temp-file and the call
> to write-region.
The temp file is created directly in /tmp, which has sticky bit
protection, thus preventing an attacker from changing the temp file
into a symlink. If /tmp does not have sticky bit protection, then all
uses of make-temp-file are insecure.
> I really think it's better to require that the parent directory
> of the file we're writing to is only writable by ourselves and/or
> by root.
I agree, but it doesn't have to be root. If joe user installs emacs
with --prefix=/home/joe and the install process makes a world-writable
snake-scores file in directory /home/joe/var/emacs/game-scores, which
is unwritable by anyone but joe, then that is sufficient. Anyone who
uses the binaries has to trust joe anyway.
-al
- Re: many packages write to `temporary-file-directory' insecurely, Pavel Janík, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Pavel Janík, 2002/03/02
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/03
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Al Petrofsky, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely,
Al Petrofsky <=
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/04
- Re: many packages write to `temporary-file-directory' insecurely, Andreas Schwab, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Richard Stallman, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/05
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/06
- Re: many packages write to `temporary-file-directory' insecurely, Stefan Monnier, 2002/03/06
- Re: many packages write to `temporary-file-directory' insecurely, Colin Walters, 2002/03/06