On Sat, Nov 06, 2010 at 12:47:02AM +0100, Moritz Barsnick wrote: > On Fri, Nov 05, 2010 at 11:28:32 +0100, Vincent Lefevre wrote: > > On 2010-11-04 18:41:55 +0530, Ramkumar Ramachandra wrote: > > > * Replace several 'mktemp' with safer 'mkstemp' alternative. > > But there is a difference in case of error. According to the man pages, > > The reasoning for using mktemp vs. mkstemp was described in Msg-ID > <20060817052317.GA4059@robert>[*] in August 2006 by good old Rocco (God > bless his soul), after I had actually asked. :) It didn't sound like > it was intended to be replaced. (Yes, that was a "get rid of warnings" > sub-thread back then. Déjà vu?) Rocco is right, of course. Although, there *is* a way to do this safely, if I'm not mistaken... 1. Call mkstemp() to create and open your tmp file safely 2. append the desired suffix to the resulting name 3. call link() to create the new name (a hard link) 4. write the file as you would using the file descriptor you got from mkstemp() 5. unlink the name returned by mkstemp(), leaving only the desired name with its extension NOTES: The call to link() guarantees that the resulting name did not exist, if it succeeds. If it does not, you do have to decide how to handle the error (safest thing to do is unlink the temp file created and start again -- but there should be some loop detection to detect a DoS). For maximum security, you MUST use the file descriptor returned by mkstemp(), and DO NOT reopen the file to get a new file descriptor. However unlikely, it's possible due to a race condition that an attacker could have found your new temp file and removed/renamed it before you re-open it. Glancing at the patch (and not the code), it looks to me like in some cases, the thing being created is a directory, not a file. In that case, I believe there's actually no need to bother with all this chicanery. Just use mkdtemp() directly and modify the code suitably. In any event, the patch is no good, because as Vincent points out, the interfaces of mktemp and mkstemp are incompatible, and the code which uses each must be different. If the thing being created is a file and nothing goes wrong, it will sort of work... but otherwise it's broken, sometimes giving a file when a directory was needed, and giving bad results whenever an error condition occurs. Unless I missed something, the approach above should both eliminate the warning (and the associated security weakness) and actually work. =8^) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
Description: PGP signature