How do you create a file with an "unpredictable" name? Why is this even
an issue unless a script or program has the suid bit enabled? Radiance
programs should never have permission to do anything a user couldn't,
unless they're being run by root.
Files with an unpredictable and unique name are generated by using
random letters and numbers within the filename *and* - preferable in an
atomic way - create the file and open it for reading/writing.
This is also the reason why gcc warns about the use of mktemp(3). It
requires a filename ending with an extension of XXXXXX (six x's). When
the temporary file is generated, the name of the file is generated by
taking the predetermined name in the program, and filling the field of
X's with a random value. However, some operating systems fill the first
five X's in the field with the process number, and the last X with one
of twenty-six lower case letters in the alphabet. Even worse, mktemp(3)
does not create and open the file, so if you call mktemp(3) twice, you
could end up with the same predictable filename.
But why is this bad?
If I'm an evil person and know, that a program creates a file in /tmp in
an insecure (== predictable) way, I can
- create the file on my own, so - depending on the program of course -
I'm able to feed the program with my data or let it execute stuff with
the rights of the user who runs the program.
- use a symlink attack and create a symlink which points to some other
file - for example to destroy files of the user running the program.
Imagine you're rendering something for hours, and while rendering the
last piece of the image I trick one of the programs/scripts into writing
it's temporary junk into the result of hours of rendering - your work is
So this is not really related to being root or not, but it's a good way
to gain more priviledges on a system on the way to become root
Although the impact of this kind of vulnerability is low, it is still
bad enough to get a CVE id for it and end up with fixes by security
uploads and the according announcements in the distributions....
For shell scripts the best thing to use is the mktemp(1) utility (if
it's available, which is the case for most platforms these days, afaik),
otherwise a file name with at least enough random letters/numbers needs
to be used.
There are quite a few scripts that create temporary files this way in
% grep -l '/tmp' */*.csh
I'll see what's the best way to fix this in Debian - which needs to be
done before Lenny is released (==soon).
Bernd Zeimetz Debian GNU/Linux Developer
GPG Fingerprint: 06C8 C9A2 EAAD E37E 5B2C BE93 067A AD04 C93B FF79