On 08/07/2013 14:23, Daniel Kahn Gillmor wrote:> On 07/08/2013 07:55 AM, Jérémy Lal wrote: > >> I am curious about how `npm install mymodule` could be a target for an >> attacker, >> especially considering the temp directory is used only once (at (un)tar >> times). > > if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an > attacker could watch the process table for a process named "npm", and as > soon as it appears (say, as pid 13577, create a symlink at > /tmp/npm-13577 that points to, say, the home directory of the user npm, > which might have the effect of clobbering any similarly-named files. > > This is a crude attack, but depending on the contents of the tarball it > could be pretty unfortunate (e.g. if the tarball contains a file named > secring.gpg, and the attacker points the symlink to the victim's > ~/.gnupg ?).
I still do not understand if this is really a security issue. IMO if a program on your system does that, the whole system is compromised, you can't really be hardening any software against it. If you disagree, do you mind if we move this discussion to upstream [nodejs] discussion group ? We'll probably find some enlightment there. Jérémy. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
