Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Tempfile vulnerabilities
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Tue, 1 Feb 2000 15:15:37 -0700


That fix is not correct.

You're just hoping that if you can make a filename that noone can
guess, that you'll be the first person to open it?

I suggest you read the OpenBSD mkstemp(3) man page, and apply what
you learn there to perl code.  The only way to handle this correctly
is to use the O_CREAT|O_EXL flag on the final open system call.

Go back and read the stuff I've posted to bugtraq over the last three
years about /tmp races.  Everyone's just repeating the same mistakes.

foo <foo () BLACKLISTED INTRANOVA NET> writes:

In Autobuse's main perl script, line 96:

        if(!$test_run) {
                open OUT, ">/tmp/autobuse_report.$$"
                        or die "can't open /tmp/autobuse_report.$$";
                select OUT;
        }

This is fixed, partly, in autobuse version snap949125599, and more so
in today's snap949380617, which uses this mktemp function:

   sub get_tmpfile {
       my $file;
       do {
         open RAN, "/dev/random" || die;
         read(RAN,$foo,16);
         close RAN;
         $file = '/tmp/autobuse' . unpack('H16',$foo);
       } while (-e $file || -l $file);

       return $file;
   }

This method is Linux-specific, but that's all I need.  The fixed
autobuse is available at http://www.picante.com/~gtaylor/autobuse/

Note that Autobuse has, as far as I know, zero users (including me).
If I am wrong about this, please let me know!

--
Grant Taylor - gtaylor at picante.com - http://www.picante.com/~gtaylor/
    Linux Printing HOWTO:  http://www.picante.com/~gtaylor/pht/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault