/tmp/ and security

This is a discussion on /tmp/ and security within the Linux Programming forums, part of the Platform Specific Boards category; I was told that using a system call to extract directly to /tmp is a security issue and that I ...

  1. #1
    Epy
    Epy is online now
    Fortran lover Epy's Avatar
    Join Date
    Sep 2009
    Location
    California, USA
    Posts
    978

    /tmp/ and security

    I was told that using a system call to extract directly to /tmp is a security issue and that I should create a temporary directory instead. Is this true? I would think that someone naming a file something like " && rm -rf ~ && " would be more of an issue, which I was already aware of. Thanks in advance.

  2. #2
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    Extract what?
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  3. #3
    Epy
    Epy is online now
    Fortran lover Epy's Avatar
    Join Date
    Sep 2009
    Location
    California, USA
    Posts
    978
    Well if you want to know the specifics, I made a crappy plugin for audacious that extracts SNES .spc files from .rar files, and it extracts them to a new directory in /tmp/. The lead developer, who is a friggin jerk, claims this is a great security risk and that I should use mktemp() to make secure extraction location. I just want to know if he was just being a jerk again or if he actually has a point.

    The only security risk I'm aware of in my own code is using system() to do the extraction.

  4. #4
    spurious conceit MK27's Avatar
    Join Date
    Jul 2008
    Location
    segmentation fault
    Posts
    8,300
    I think when you become a lead developer you can get a special badge that says, "WARNING: LICENSE TO BE A JERK" on it.

    The only thing I could find about it is this:
    Linux Security Administrator's Guide: Writing Secure Code

    It sounds to me like because /tmp has 777 permission, if you open a file there as root*, and someone without root permission has predicted you are going to do this and has put a pipe there with the same name as the file you are going to create, you will be opening their pipe (or symlink), which if they still have it open, they now have a pipe with root ownership**. Doesn't say how the crack proceeds from there, but to prevent it, you should use a tmp directory in the user's $HOME directory (meaning the permissions are more restrictive -- if someone already has access to this, they would not be gaining anything more). You can probably get $HOME with getenv, I always use getpwuid(), which perhaps audacious (audacious rocks) already does:

    User Database - The GNU C Library

    * the same problem applies no matter who you are, since "nobody" could create a pipe in /tmp
    ** that doesn't quite make sense but this is the jist
    Last edited by MK27; 04-17-2010 at 05:05 PM.
    C programming resources:
    GNU C Function and Macro Index -- glibc reference manual
    The C Book -- nice online learner guide
    Current ISO draft standard
    CCAN -- new CPAN like open source library repository
    3 (different) GNU debugger tutorials: #1 -- #2 -- #3
    cpwiki -- our wiki on sourceforge

  5. #5
    VIM addict
    Join Date
    May 2009
    Location
    Chennai, India
    Posts
    43
    Quote Originally Posted by MK27 View Post
    It sounds to me like because /tmp has 777 permission, if you open a file there as root*, and someone without root permission has predicted you are going to do this and has put a pipe there with the same name as the file you are going to create, you will be opening their pipe (or symlink), which if they still have it open, they now have a pipe with root ownership**.
    Never know this one. That was a excellent point.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. I trying to learn HardWare Security
    By Sshakey6791 in forum Tech Board
    Replies: 0
    Last Post: 12-21-2008, 11:40 AM
  2. Open Source and Security
    By DavidP in forum A Brief History of Cprogramming.com
    Replies: 17
    Last Post: 06-17-2008, 02:23 AM
  3. Freedom Internet Security
    By BestGameMovie in forum Tech Board
    Replies: 3
    Last Post: 06-03-2005, 10:28 PM
  4. Security on automated home
    By stimpyzu in forum A Brief History of Cprogramming.com
    Replies: 4
    Last Post: 04-11-2004, 02:14 AM
  5. Painfully true but funny...
    By shaik786 in forum A Brief History of Cprogramming.com
    Replies: 8
    Last Post: 04-01-2003, 03:39 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21