On Sat, Apr 16, 2005 at 05:02:21PM -0700, Paul Jackson wrote:
> > And racy. And not guaranteed to come up with fresh new files.
>
> In theory perhaps. In practice no.
>
> Even mktemp(1) can collide, in theory, since there is no practical way
> in shell scripts to hold open and locked the file from the instant of it
> is determined to be a unique name.
Using the pid as a 'random' number is a bad idea. all an attacker
has to do is create 65535 symlinks in /usr/tmp, and he can now
overwrite any file you own.
mktemp is being used here to provide randomness in the filename,
not just a uniqueness.
> The window of vulnerability for shell script tmp files is the lifetime
> of the script - while the file sits there unlocked. Anyone else with
> permissions can mess with it.
Attacker doesnt need to touch the script. Just take advantage of
flaws in it, and wait for someone to run it.
> More people will fail, and are already failing, using mktemp than I have
> ever seen using $$ (I've never seen a documented case, and since such
> files are not writable to other user accounts, such a collision would
> typically not go hidden.)
>
> Fast, simple portable solutions that work win over solutions with some
> theoretical advantage that don't matter in practice, but also that are
> less portable or less efficient.
I'd suggest fixing your distributions mktemp over going with an
inferior solution.
Dave
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
