lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV fix-v2 temp code.


From: Bela Lubkin
Subject: Re: LYNX-DEV fix-v2 temp code.
Date: Fri, 18 Jul 1997 15:39:11 +0000

Foteos Macrides wrote:

>       As far as the non-zero length microseconds between when tempname()
> returns a tentative filename and the fopen() is attempted, with /tmp/$USER
> set mode 700, and then a chmod(600) being done within those microseconds,
> I still feel that Jonathan is going overboard and should have gone home to
> sleep instead of generating buggy patch after buggy patch for the fotemods
> code set (or at least generate patches for a code set that might incorporate
> them).  The communication between tempname() and the calling functions is
> not via a slow PPP connection from Russia. :) :)

It has been repeatedly proven that such windows, no matter how
miniscule, *are* exploitable.  See, for instance, old CERT alerts about
Sun's sendmail local delivery agent.  It's good that the window has been
narrowed, but Jonathan is correct to be trying to close it completely.

The final implementation should have the characteristics that on systems
with appropriate kernel/library support (at least one of 3-argument
open(), fchmod(), or sticky directories), it is completely secure; and
on impoverished systems, the window is as narrow as possible.  From what
you're saying, the current fotemods code has a window on all systems.
That's unacceptable from a security standpoint.  A narrow window just
means that the attacker has to spend a bit more time trying to catch it.

>Bela<
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]