Re: Bug#286392: autopoint: Insecure temporary directory usage

[Javier Fernández-Sanguino Peña]

reopen 286392
thanks

On Wed, Dec 22, 2004 at 07:51:34PM +0100, Santiago Vila wrote:
> Hi.
> 
> Martin "Joey" Schulze, from the security team, agree with me that this
> is not really a bug, 

I can't comment on that statement since I have not seen that.

> in the sense that we should not be responsible
> for the user's own stupidity.

Then I wonder why both tempdir(), tempfile() and mktemp do not honor the
user's umask and make temporary stuff 0700? There's a simple reason for
this: race conditions are easy to make work since the contents are
predictable, that's actually something that does not happen so easily with
other stuff, I cannot foresee that you will edit a file named abXy.sgml and
take advantage of this, but I can foresee that when you run utility X the
application will make a file named X.

> Javier, if you still think this is a bug, please convince the security
> team before reopening. The default umask in Debian is 022.
> If we wanted to "support" insecure umasks set by the user, we would
> have to report "security bugs" like this one against nearly all
> packages in the archive. I don't think that would be reasonable.

I do not need to convince the security team. _All_ (well, most) temporary 
file implementations do not honor insecure umasks. Let's see an example:

(...)
set -C
umask=`umask`
umask 77
tmpfile=`tempfile -p gztmp -d /tmp` || exit 1
if tail +$skip "$0" | /bin/gzip -cd >> $tmpfile; then
  umask $umask
  /bin/chmod 700 $tmpfile
(...)

That's from /bin/gzexe.

Let's see another: mkdtemp(1) and mkstemp(1) used by mktemp in Debian:

       The  mkdtemp()  function generates a uniquely-named temporary 
       directory from template. The last six characters of template must be  
       XXXXXX and these  are replaced with a string that makes the directory 
       name unique.
       The directory is then created with permissions 0700.

I can provide more examples if needed be. The way temporary files (and 
directories) have been setup in most applications: use obscure filenames so 
they are not easily guessable, they prevent others from accessing them by 
making them mode 0700 (since there is really no need for other users 
besides the one running the application to access those temporary files).

Now, the change is really simple to introduce, it has no caveats, improves 
security for some cases and I really see no point in _not_ introducing it. 
What do you fear, feature-bloat?

If you will, I can involve the Debian Security Audit team in this to see 
what they think about it, but I think Ulf and Steven will have the same 
opinion regarding this bug as I do.

Friendly,

Javier

signature.asc
Description: Digital signature