Please sign in to comment.
Fix for temporary file security whole
We create temporary files in /tmp/ with predictable names. These could be used by an attacker to DoS a box by setting a symlink to some other file (say, /etc/shadow) and waiting for us to overwrite it. The minimalistic solution employed by this patch is to wrap all such file writing with a paranoid wrapper that: 1) Check to see if the target exists 2) Issues a warning if it was a symlink 3) Deletes it 4) Waits (0.1 seconds if it was a file, 5 seconds if it was a symlink) 5) Opens the file with EXCL, which will fail if the file has come back. If this succeeds (as it normally will) it has exactly the same semantics as the original code (a must, as we are right at a release boundary). However, under no circumstances will it follow a preexisting symlink (the operating system guarantees this with EXCL) so the danger of an exploit has been converted into the possibility of a failure, with an appropriate warning.
- Loading branch information...
Showing with 32 additions and 7 deletions.