Paul Wise <p...@debian.org> writes: > On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote:
>> If you (or the maintainer) review the code or analyse the program's >> behaviour and it is using *fixed* (i.e. not random) filenames for the >> temporary files or for the directories they are created in (/tmp or >> /var/tmp), you might want to suggest the maintainer to review if the >> code in charge of creating temporary files is doing this properly. > Should I find hard-coded uses of /tmp/, do you have any suggestions or > tips about how to assess the security impact of these issues. Up to now > I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo > and checked if ~pabs/foo was overwritten. I wonder if there are any > tools to automatically assess the impact of these issues by using > LD_PRELOAD and or fs/user namespaces, are you aware of any of these? You could probably use strace to find problems by looking for an open(O_CREAT) of a file in /tmp that doesn't look like it's mkstemp-created (ending in six random characters) and doesn't use O_EXCL. You'll get some false positives from files in safely-created directories. > Based on a quick grep of /usr/bin/* I expect you are correct. My grep doesn't look *too* awful on the fixed file name front. What grep did you try? Looking for /tmp in a binary that doesn't also reference TMPDIR? > I wonder if a pedantic/experimental lintian warning about hardcoding > use of /tmp/ would be doable or helpful, any thoughts? Lintian already tries to do some stuff for shell scripts. The general problem is rather hard to detect. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877gzursh6....@windlord.stanford.edu
