Alexandre Oliva <[EMAIL PROTECTED]> writes:
> Moreover, there's another problem: any user may simply touch
> /tmp/conftest9012345 and cause autoconf to think long filenames are not
> supported, unless the user sets TMPDIR to something other than /tmp. No
> good.
If the goal is to avoid denial of service attacks such as this, using $$
in the file name isn't sufficient either, as the PID is predictable. At
that point, you pretty much have to use something that includes
high-entropy randomness, which is beyond the capabilities of most shell
scripts.
There are really two separate issues. Avoiding symlink attacks on
temporary files requires using a safe open (O_CREAT | O_EXCL or the
equivalent) in a directory with the sticky bit set. Including the PID or
time in the file name is not sufficient to protect against symlink attacks
since those values are predictable and vulnerable to a brute-force attack.
If you use a safe open on a properly configured system, you're safe
against symlink attacks even if you use a completely predictable and fixed
file name.
Separately, avoiding DoS attacks by creating files with the same names as
your intended temporary files requires putting unpredictable randomness
into the temporary file names and cannot be addressed using safe opens.
Most applications have little reason to worry about this; just exiting if
the temporary file name is already taken, provided some care is taken to
avoid accidental collisions, is generally sufficient. Problems can be
taken care of using non-technical measures (disabling the account of the
person on the system who's launching local DoS attacks), since this isn't
a network-accessible DoS attack.
For the particular problem that autoconf is trying to solve here, what you
really want is a file creation command that portably distinguishes between
"file already exists" and "file name too long"; probably not possible in
highly portable shell. :/
To address the more pressing security measure, the symlink attack, I
prefer using temporary directories rather than temporary files in shell
scripts. There's no good way that I've found to portably use a safe open
in a shell script, but Unix mkdir semantics are already safe provided that
the sticky bit is set on /tmp.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
