On Sun, May 24, 2009 at 12:52 PM, Kyle Sluder <kyle.slu...@gmail.com> wrote: > 1. Non-privileged process A running as user Alice creates a file > called /tmp/ipc. > 2. A signals to privileged process B, running as root, that the file exists. > 3. Malevolent process C, running as user Eve, notices the file, > unlinks it (which it can do due to the permissions on /tmp) and > creates a new one in its place with its own preferred contents.
Malevolent process C fails. /tmp has a special permissions bit set called the sticky bit. When set on directories, the sticky bit modifies the standard UNIX permissions model and makes it so that the directory's contents can only be deleted or renamed by the owner of the item in question, of the directory, or root. In other words, if I write to /tmp/xyz and then you try to rm /tmp/xyz, your attempt will fail. Give it a try and see. Certainly there are risks with using /tmp, but it *can* be done correctly. You need to open the file with O_EXCL to ensure that the file didn't already exist, and you need to open it with permissions set so that nobody else can write to the file. If you do this (and properly handle errors when they happen, obviously) then other non-privileged users can't jump in the middle as you describe. Mike _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
