Re: [PATCH] Re: Insecure tempfile creation

[Danek Duvall <duvall@xxxxxxxxxxxxxx>]

On Wed, Jan 07, 2015 at 10:22:20PM -0800, Bart Schaefer wrote:

> On Wed, Jan 7, 2015 at 2:03 PM, Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx> wrote:
> > Coming back to this, it has occurred to me that
> >
> >         mv -f =(:) ${TMPPREFIX:-/tmp/zsh}foo$$
> >
> > wouldn't perform an atomic rename (as intended) if /tmp/zshfoo$$ is a
> > directory or symlink-to-directory.  So hypothetically an attacker might
> > be able to create a file named `basename =(:)` in a directory of his
> > choice owned by the victim.
> 
> Hmm.  Yup, we need "ln -Fh" instead of "mv -f".  Are the -F and -h
> options of "ln" fairly standard?

Neither exists on Solaris ln.  GNU coreutils ln doesn't seem to have -h,
either.  And -F just seems like a bad idea, supported or not.

What about mktemp?  The above construction is pretty weird, anyway.  If an
external command isn't desired, then mktemp seems like a reasonable thing
to make builtin.

Danek