Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

default TMPPREFIX unsafe if local malicious users



The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should a local malicious user have write access to /tmp, for example if the target user uses the Functions/Zle/edit-command-line feature after the following is performed:

  for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; done

This issue could perhaps be avoided by locally setting the NOCLOBBER option for all code that uses TMPPREFIX, or by providing a mktemp(3) interface (if available)?

Jeremy


Messages sorted by: Reverse Date, Date, Thread, Author