On Fri, 2012-02-10 at 18:53 -0800, Russ Allbery wrote: > Paul Wise <p...@debian.org> writes: > > On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote: > > >> If you (or the maintainer) review the code or analyse the program's > >> behaviour and it is using *fixed* (i.e. not random) filenames for the > >> temporary files or for the directories they are created in (/tmp or > >> /var/tmp), you might want to suggest the maintainer to review if the > >> code in charge of creating temporary files is doing this properly. > > > Should I find hard-coded uses of /tmp/, do you have any suggestions or > > tips about how to assess the security impact of these issues. Up to now > > I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo > > and checked if ~pabs/foo was overwritten. I wonder if there are any > > tools to automatically assess the impact of these issues by using > > LD_PRELOAD and or fs/user namespaces, are you aware of any of these? > > You could probably use strace to find problems by looking for an > open(O_CREAT) of a file in /tmp that doesn't look like it's > mkstemp-created (ending in six random characters) and doesn't use O_EXCL. [...]
The test should be for non-random names *or* missing O_EXCL. Use of an
entirely predictable name with O_EXCL allows a DoS and use of a
pseudo-random name without O_EXCL may still be exploitable for
overwriting other files if the attacker can try repeatedly.
(Note we may yet patch the kernel to stop most such attacks.)
Ben.
--
Ben Hutchings
The generation of random numbers is too important to be left to chance.
- Robert Coveyou
signature.asc
Description: This is a digitally signed message part
