Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] Re: Insecure tempfile creation

X-seq: zsh-workers 34164
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: [PATCH] Re: Insecure tempfile creation
Date: Wed, 7 Jan 2015 22:03:45 +0000
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=x-sasl-enc:date:from:to:subject:message-id :references:mime-version:content-type:in-reply-to; s=mesmtp; bh= RlsdVCRheAGtzfdPJQRq0HwDnMA=; b=Jq6EA4AjW/JWkzs3+ekIJImZ7opVJghA b/JY9SwVJMKnCk+ZFMynFWXpZtCeTXGQQ3bNVZDpJXjlop58eBkVEDrhKtSyxO4C xldAQfuc3h+fXqg5boTy4q0izZ9wVvHJZKCPOXWzFo88Afr0Ie3rEXl7yQakcxGr 2HYphAcNL94=
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:date:from:to:subject :message-id:references:mime-version:content-type:in-reply-to; s= smtpout; bh=RlsdVCRheAGtzfdPJQRq0HwDnMA=; b=Qr23j0pPxN7dq9GFxXfr lkmpdTpj6ira1IgDlv2Uuv7DcXWEGRPnAlT2RZC3km9+OiTQmq7l8RgHcOENR1Pr JRGcWRfwIG2k7jUbKpA7VYR0BdwN1kRATYCGAe/aMST6gZs2ff6VqgJMntKll4t3 rUDDc0BZy+r4tI2zLRTblNQ=
In-reply-to: <141228200142.ZM22840@torch.brasslantern.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20141222203624.GA24855@tarsus.local2> <141227223029.ZM15959@torch.brasslantern.com> <141227234421.ZM16038@torch.brasslantern.com> <141228004101.ZM28486@torch.brasslantern.com> <20141229004957.GA1737@tarsus.local2> <141228200142.ZM22840@torch.brasslantern.com>

Bart Schaefer wrote on Sun, Dec 28, 2014 at 20:01:42 -0800:
> On Dec 29, 12:49am, Daniel Shahaf wrote:
> }
> } Your patches look good to me, including the rmdir
> 
> I avoided using "mkdir -m 0700" in favor of the chmod but then found some
> other places where mkdir is passed the -m option.  So maybe that should
> be tweaked.

Coming back to this, it has occurred to me that

	mv -f =(:) ${TMPPREFIX:-/tmp/zsh}foo$$

wouldn't perform an atomic rename (as intended) if /tmp/zshfoo$$ is a
directory or symlink-to-directory.  So hypothetically an attacker might
be able to create a file named `basename =(:)` in a directory of his
choice owned by the victim.

I realize this is more far-fetched than the previous scenario.  Do we
consider this a problem that should be fixed?

Cheers,

Daniel

Follow-Ups:
- Re: [PATCH] Re: Insecure tempfile creation
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author