OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Tempfile vulnerabilities
From: Theo de Raadt (deraadtCVS.OPENBSD.ORG)
Date: Tue Feb 01 2000 - 16:15:37 CST

That fix is not correct.

You're just hoping that if you can make a filename that noone can
guess, that you'll be the first person to open it?

I suggest you read the OpenBSD mkstemp(3) man page, and apply what
you learn there to perl code. The only way to handle this correctly
is to use the O_CREAT|O_EXL flag on the final open system call.

Go back and read the stuff I've posted to bugtraq over the last three
years about /tmp races. Everyone's just repeating the same mistakes.

> >>>>> foo <fooBLACKLISTED.INTRANOVA.NET> writes:
>
> > In Autobuse's main perl script, line 96:
> >
> > if(!$test_run) {
> > open OUT, ">/tmp/autobuse_report.$$"
> > or die "can't open /tmp/autobuse_report.$$";
> > select OUT;
> > }
>
> This is fixed, partly, in autobuse version snap949125599, and more so
> in today's snap949380617, which uses this mktemp function:
>
> sub get_tmpfile {
> my $file;
> do {
> open RAN, "/dev/random" || die;
> read(RAN,$foo,16);
> close RAN;
> $file = '/tmp/autobuse' . unpack('H16',$foo);
> } while (-e $file || -l $file);
>
> return $file;
> }
>
> This method is Linux-specific, but that's all I need. The fixed
> autobuse is available at http://www.picante.com/~gtaylor/autobuse/
>
> Note that Autobuse has, as far as I know, zero users (including me).
> If I am wrong about this, please let me know!
>
> --
> Grant Taylor - gtaylor at picante.com - http://www.picante.com/~gtaylor/
> Linux Printing HOWTO: http://www.picante.com/~gtaylor/pht/