<<< Date Index >>>     <<< Thread Index >>>

Re: mutt_adv_mktemp() ?



On 2006-10-04 16:05:14 +0000, Rocco Rutte wrote:

> A configure test for mkstemps() as well as using it should be
> quite easy. Maybe I'll some minutes this week to do it... but if
> someone is faster... :-)

Sorry for chiming in that late, but what's the purpose of the
suggested change, again?

The basic logic of mkstemp is to start out with a candidate file
name, and then do a safe open on it (with O_EXCL set, namely).  
That's iterated if the open fails, and ultimately a file descriptor
gets returned.

The nice property here is that the calling code is guaranteed to get
a "clean" temporary file descriptor.

If you look at mutt's code, safe_fopen will use O_EXCL whenever a
temporary file is opened for writing.

So, what mutt effectively does is to do one of the cycles that
mkstemp iterates, so there is a small possibility that an attacker
might sneak in a file, and the safe_fopen fails.  The code was
written pretty carefully to make sure that that's the only risk
there is; it's reasonably acceptable.

Also, if you're really concerned about this point, just use a
user-specific temporary directory.  I, for one, have been using
~/.tmp (mode 700) for any number of years.  Works very well.

A move to mkstemp style wouldn't be rocket science, but mostly a lot
of tedious work of walking through invocation paths and changing
file name parameters to file descriptors or file handles.  Given
that mutt needs to create file names according to templates, you'd
probably want to write a reimplementation of mkstemp that can deal
with this, btw.

(If all you suggest to do is close the file descriptor returned and
then manipulate the file by name, that actually might open up a new
hole...)

So, overall, I don't think the change is worth it.  If done
properly, it's nothing I'd oppose, though.  

Cheers,
-- 
Thomas Roessler   <roessler@xxxxxxxxxxxxxxxxxx>