Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: default TMPPREFIX unsafe if local malicious users



On Mac OS X, a temporary directory with permissions 700 is created for each user at login: /var/folders/jp/qsb33jvx5hj6vv3zv3rhcgn00000gn/T/.

$TMPPREFIX should be set to $TMPDIR/zsh, not /tmp/zsh.

Sorin

On 29 Aug 2012, at 19:13, Jeremy Mates wrote:

> The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should a local malicious user have write access to /tmp, for example if the target user uses the Functions/Zle/edit-command-line feature after the following is performed:
> 
>  for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; done
> 
> This issue could perhaps be avoided by locally setting the NOCLOBBER option for all code that uses TMPPREFIX, or by providing a mktemp(3) interface (if available)?
> 
> Jeremy



Messages sorted by: Reverse Date, Date, Thread, Author