Skip to content

Insecure Temporary Files #338

Closed
Closed
@topimiettinen

Description

@topimiettinen

Libqb creates files in world-writable directories (/dev/shm, /tmp) with rather predictable file names (e.g. /dev/shm/qb-usbguard-request-7096-835-12-data in case of USBGuard). Also O_EXCL flag is not used when opening the files. This could be exploited by a local attacker to overwrite privileged system files (if not restricted by sandboxing, MAC or symlinking policies).

At least O_EXCL flag should be used. I'd also use more complex logic where files are created with unpredictable names (also using O_TMPFILE) and then possibly renamed to match file naming convention (if the protocol does not allow completely random file names). I would not use files for IPC.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions