Martin Pool's blog

Mail me RSS Bazaar distcc Canonical is hiring! flickr

/tmp sucks

Since January 2003, Debian has had six security advisories relating to insecure temporary files. Most of these are not Debian-specific, but rather problems in the upstream source.

A typical problem is that a program will create a file with a predictable name in /tmp, without adequate checks for whether it already exists. Because /tmp is world-writable, a local attacker can create the file before the program runs, and either make the program write somewhere it shouldn't, or examine what is written.

Many of these are not enormous problems: in the first place, they can only be exploited by an attacker who already has an account on the machine, which is not a problem for most hosts. (Either they are single-user, or the users can be held accountable.) Secondly most of these problems have been in packages that I suspect are not used by the majority of people, such as an emacs IRC client. They're still important to fix, but not as bad as the Windows worms that seem to be currently bringing some companies to a standstill.

SuSE have an article discussing other temporary file security problems from the developer's perspective.

What really annoys me is that most of them could be systematically avoided by using per-user private temporary directories. I suppose this might cause trouble for files that really need to be shared between users but I think those cases are the exception. Of course individual users can set TMPDIR=~/tmp but it would be nice to see it made the system-wide default.

libpam-tmpdir will apparently do this, including creating the temporary directory as needed. It might be nice if it were on by default. I can't see a homepage for it aside from the Debian package page so I don't know if it would be in any other systems.

posted Wed 23 Jul 2003 in /software/security | link

Copyright (C) 1999-2007 Martin Pool.