PDA

View Full Version : /tmp/ and security



Epy
04-15-2010, 06:13 AM
I was told that using a system call to extract directly to /tmp is a security issue and that I should create a temporary directory instead. Is this true? I would think that someone naming a file something like " && rm -rf ~ && " would be more of an issue, which I was already aware of. Thanks in advance.

MK27
04-15-2010, 08:05 AM
Extract what?

Epy
04-17-2010, 03:40 PM
Well if you want to know the specifics, I made a crappy plugin for audacious that extracts SNES .spc files from .rar files, and it extracts them to a new directory in /tmp/. The lead developer, who is a friggin jerk, claims this is a great security risk and that I should use mktemp() to make secure extraction location. I just want to know if he was just being a jerk again or if he actually has a point.

The only security risk I'm aware of in my own code is using system() to do the extraction.

MK27
04-17-2010, 03:59 PM
I think when you become a lead developer you can get a special badge that says, "WARNING: LICENSE TO BE A JERK" on it. :p

The only thing I could find about it is this:
Linux Security Administrator's Guide: Writing Secure Code (http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide-13.html)

It sounds to me like because /tmp has 777 permission, if you open a file there as root*, and someone without root permission has predicted you are going to do this and has put a pipe there with the same name as the file you are going to create, you will be opening their pipe (or symlink), which if they still have it open, they now have a pipe with root ownership**. Doesn't say how the crack proceeds from there, but to prevent it, you should use a tmp directory in the user's $HOME directory (meaning the permissions are more restrictive -- if someone already has access to this, they would not be gaining anything more). You can probably get $HOME with getenv, I always use getpwuid(), which perhaps audacious (audacious rocks) already does:

User Database - The GNU C Library (http://gnu.april.org/software/libtool/manual/libc/User-Database.html)

* the same problem applies no matter who you are, since "nobody" could create a pipe in /tmp
** that doesn't quite make sense but this is the jist

cbalu
05-05-2010, 05:36 AM
It sounds to me like because /tmp has 777 permission, if you open a file there as root*, and someone without root permission has predicted you are going to do this and has put a pipe there with the same name as the file you are going to create, you will be opening their pipe (or symlink), which if they still have it open, they now have a pipe with root ownership**.

Never know this one. That was a excellent point.