Re: temp files for security/logcheck

From: Greg White (gregw-freebsd-security@greg.cex.ca)
Date: 03/11/01


Date: Sat, 10 Mar 2001 23:08:43 -0800
From: Greg White <gregw-freebsd-security@greg.cex.ca>
To: FreeBSD Security <freebsd-security@freebsd.org>

On Sat, Mar 10, 2001 at 10:53:46PM -0800, Kris Kennaway wrote:
> On Sun, Mar 11, 2001 at 05:47:58PM +1300, Dan Langille wrote:
> > AFAIK, the files disappear each time the script is run:
> >
> > umask 077
> > rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$
>
> [...]
>
> Blah, that's an insecure way to create files in $TMPDIR (which is
> usually /tmp). It needs to use mktemp(1).
>
> Kris

It is in general, but not in this case. The script and the directory are
mode 0700 -- this makes it difficult for it to be insecure. $TMPDIR is
explicitly set.

-- 
Greg White
Those who make peaceful revolution impossible will make violent
revolution inevitable.
                -- John F. Kennedy
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: temp files for security/logcheck
    ... the files disappear each time the script is run: ... Blah, that's an insecure way to create files in $TMPDIR (which is ...
    (FreeBSD-Security)
  • Re: $ENV{CONTENT_LENGTH} / STDIN
    ... >> reason for a form in the first place. ... than about every other aspect of writing a script. ... > insecure may be perfect in the lab, but useless in the real world. ... hard-coded validation, rather than hard-coded names. ...
    (comp.lang.perl.misc)
  • Re: want to put msg when user is denied login
    ... >> I also want to have a message pop back when the person tries to log in using ... a hackerish user might be tempted ... password over an insecure connection. ... define that script to be the "telnet daemon" in /etc/inetd.conf. ...
    (comp.security.unix)
  • Re: want to put msg when user is denied login
    ... >> I also want to have a message pop back when the person tries to log in using ... a hackerish user might be tempted ... password over an insecure connection. ... define that script to be the "telnet daemon" in /etc/inetd.conf. ...
    (comp.unix.solaris)
  • Re: want to put msg when user is denied login
    ... >> I also want to have a message pop back when the person tries to log in using ... a hackerish user might be tempted ... password over an insecure connection. ... define that script to be the "telnet daemon" in /etc/inetd.conf. ...
    (comp.unix.questions)