5873369 2000-12-15 21:12 -0800 /59 rader/ Kris Kennaway <kris@FREEBSD.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-19 00:13 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@FREEBSD.ORG
Mottagare: Bugtraq (import) <14278>
Kommentar till text 5864946 av Octavio / Super <alvarezp@TELNOR.NET>
Ärende: Re: /tmp topic
------------------------------------------------------------
On Thu, Dec 14, 2000 at 10:10:07PM -0800, Octavio / Super wrote:
> Is there a standard or a guide or a "HOWTO" <g> on using tmp
> directories safely? About using mkstemp(), assigning correct
> permissions, erasing the file at program termination, etc.
Use mkstemp() for making temporary files. If you can't use mkstemp()
then make yourself a directory using mkdtemp(), which is protected
from the outside world and you can be as insecure as you like within
it. If you really have to use the insecure mktemp() then use lots of
X's - I suggest 10 (if your libc allows it) so that the filename can't
easily be guessed (using only 6 X's means that 5 are taken up by the
PID, leaving only one random character and allowing an attacker to
mount an easy race condition) [1]
Never "roll your own" temporary file creation routine. Chances are you
don't know what you're doing and will get it wrong. Use the interfaces
helpfully provided to you by your libc vendor (described above). If
they don't provide these interfaces then yell at your vendor until
they do, or port the functions from a freely available libc such as
the FreeBSD/NetBSD/OpenBSD libc. Beware of deprecated, insecure
interfaces like mktemp() or tmpnam() which should be documented as
being insecure by your vendor.
Don't ever reuse a temporary filename (i.e. remove and recreate it) -
no matter how you obtained that "secure" temporary filename in the
first place (e.g. mkstemp()). An attacker can observe the original
filename and hijack it before you recreate it the second time.
If you ever want to make a file in /tmp or a world-writable directory
(or group-writable, if you don't trust the group) and don't want to
use mk*temp() (e.g. you intend for the file to be predictably named),
then ALWAYS use the O_EXCL flag to open() and CHECK THE RETURN
VALUE. If you fail the open() call, then recover gracefully
(e.g. exit).
Always use appropriate permissions - e.g. only allow world/group
access if you need the world or a group to access the file, otherwise
keep it mode 600.
Clean up after yourself, either by using an exit handler, or making
use of UNIX filesystem semantics and unlink()ing the file immediately
after creation so the directory entry goes away but the file itself
remains accessible until the last file descriptor pointing to it is
closed. You can then continue to access it within your program by
passing around the file descriptor.
Kris
[1] FreeBSD has recently changed the mk*temp() family to get rid of
the PID component of the filename and replace the entire thing with
base-62 encoded randomness. This drastically raises the number of
possible temporary files for the "default" usage of 6 X's, meaning
that even mktemp() with 6 X's is reasonably (probabilistically) secure
against guessing, except under very frequent usage.
http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libc/stdio/mktemp.c.diff?r1=1.19&r2=1.20
(5873369) ------------------------------------------
Bilaga (application/pgp-signature) i text 5873370
5873370 2000-12-15 21:12 -0800 /10 rader/ Kris Kennaway <kris@FREEBSD.ORG>
Importerad: 2000-12-19 00:13 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@FREEBSD.ORG
Mottagare: Bugtraq (import) <14279>
Bilaga (text/plain) till text 5873369
Ärende: Bilaga till: Re: /tmp topic
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6OvnUWry0BWjoQKURAt2wAKC+SY7UIwt8uR3HPuhM6lIYvlR0ZQCgjr+g
a1yH9FXtYDtjGWHjoR1U+Dc=
=Ucxe
-----END PGP SIGNATURE-----
(5873370) ------------------------------------------
5873379 2000-12-15 12:35 -0800 /26 rader/ Michael Damm <miked@ACCESSNW.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-19 00:14 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: miked@ACCESSNW.NET
Mottagare: Bugtraq (import) <14280>
Kommentar till text 5864880 av Mark Delany <MarkD@BUSHWIRE.NET>
Ärende: Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary
------------------------------------------------------------
file hijacking vulnerability) From: Michael Damm
<miked@ACCESSNW.NET> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID:
<Pine.LNX.4.05.10012151231430.690-100000@mail.accessnw.net>
On Thu, 14 Dec 2000, Mark Delany wrote:
> I'm sure many people have been "guilty" of writing a quick and nasty
> shell script that ends in something like: >/tmp/out.$$
I alwas was a difficult child.
TMPKEY="$RANDOM"
echo "foo" >/tmp/blah.$TMPKEY
Easiest fix for most of these issues, works great in quick bash hacks
on untrusted systems. Im sure your OS/Programming Language of choice
has support for the latest in even semi random number generation.
-Mike
---
Michael Damm - System Administrator - Access Northwest, LLC - Yakima, WA
Business: miked@accessnw.net - http://www.accessnw.net/ - (509) 542-3221
Personal: symetrix@symetrix.org - http://www.symetrix.org/ - (877) 534-6247
(5873379) --------------------------------(Ombruten)
Kommentar i text 5873667 av Ryan Russell <ryan@SECURITYFOCUS.COM>
Kommentar i text 5873687 av stanislav shalunov <shalunov@INTERNET2.EDU>
5873667 2000-12-18 13:47 -0800 /20 rader/ Ryan Russell <ryan@SECURITYFOCUS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-19 05:49 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: ryan@SECURITYFOCUS.COM
Mottagare: Bugtraq (import) <14304>
Kommentar till text 5873379 av Michael Damm <miked@ACCESSNW.NET>
Ärende: Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary
------------------------------------------------------------
file hijacking vulnerability)
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.GSO.4.30.0012181344550.7266-100000@mail>
On Fri, 15 Dec 2000, Michael Damm wrote:
> I alwas was a difficult child.
> TMPKEY="$RANDOM"
> echo "foo" >/tmp/blah.$TMPKEY
Which allows for the possibility of collisions. Various instances of
the script might on rare occasion step on each-others temp files,
causing problems at, uh... random. That's why $$ is used, because
the OS is responsible for making sure process IDs are unique for all
the current processes.
Ryan
(5873667) --------------------------------(Ombruten)
5873687 2000-12-18 20:29 -0500 /21 rader/ stanislav shalunov <shalunov@INTERNET2.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-19 06:34 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: shalunov@INTERNET2.EDU
Mottagare: Bugtraq (import) <14310>
Kommentar till text 5873379 av Michael Damm <miked@ACCESSNW.NET>
Ärende: Re: Is /tmp still appropriate? (was Re: [hacksware]Pine temporary
------------------------------------------------------------
file hijacking vulnerability)
From: stanislav shalunov <shalunov@INTERNET2.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <87itohi4gm.fsf@cain.internet2.edu>
Michael Damm <miked@ACCESSNW.NET> writes:
> I alwas was a difficult child.
> TMPKEY="$RANDOM"
> echo "foo" >/tmp/blah.$TMPKEY
This is actually a single linear transform of PID+NOW into 16-bit
space (((pid+now)*1103515245 + 12345) & 32767). Trivial guess.
-- Stanislav Shalunov <shalunov@internet2.edu> Internet Engineer,
Internet2
A fool's brain digests philosophy into folly, science into superstition,
and art into pedantry. Hence University education. -- G. B. Shaw
(5873687) --------------------------------(Ombruten)
5877558 2000-12-19 07:30 +0100 /40 rader/ Tollef Fog Heen <tollef@ADD.NO>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-20 04:09 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: tollef@ADD.NO
Mottagare: Bugtraq (import) <14346>
Kommentar till text 5873451 av Max Gribov <mgribov@LINKSHARE.COM>
Ärende: Re: /tmp topic
------------------------------------------------------------
From: Tollef Fog Heen <tollef@ADD.NO>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <87d7eokjn8.fsf@manon.pvv.ntnu.no>
* Max Gribov
| Mount /tmp with noexec option in /etc/fstab is a pretty secure
| thingto do...
At least under Linux, noexec is not very useful: (I know this has
been disclosed on bugtraq before, but, obviously, not everybody knows
about it)
$cat hello.c
#include <stdio.h>
int main() {
printf("hello world\n");
return 0;
}
$gcc -o hello hello.c
$./hello
bash: ./hello: Permission denied
$/lib/ld-linux.so.2 ./hello
hello world
Basically - it all boils down to:
don't use /tmp, use $TMPDIR or $TMP, failing that use $HOME/tmp. If
that fails, use /tmp with mkstemp/mkdtemp (like Kris Kennaway wrote)
or open(2) with O_EXCL. If everything fails, bail out or give the
user warning and option to retry. (Whatever's appropriate for the
program)
--
Tollef Fog Heen Unix _IS_ user friendly... It's just selective about
who its friends are.
(5877558) --------------------------------(Ombruten)