From mboxrd@z Thu Jan 1 00:00:00 1970 Path: quimby.gnus.org!not-for-mail From: "Stefan Monnier" Newsgroups: gmane.emacs.devel Subject: Re: many packages write to `temporary-file-directory' insecurely Date: Tue, 05 Mar 2002 10:15:50 -0500 Message-ID: <200203051515.g25FFop01808@rum.cs.yale.edu> References: <1014945351.23435.102.camel@space-ghost> <1015103550.7365.17.camel@space-ghost> <200203031718.g23HIKt23295@rum.cs.yale.edu> <200203032036.MAA29961@radish.petrofsky.org> <200203042341.g24NfAA00521@aztec.santafe.edu> <200203050226.SAA32321@radish.petrofsky.org> NNTP-Posting-Host: quimby2.netfonds.no Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: quimby2.netfonds.no 1015341908 27836 195.204.10.66 (5 Mar 2002 15:25:08 GMT) X-Complaints-To: usenet@quimby2.netfonds.no NNTP-Posting-Date: 5 Mar 2002 15:25:08 GMT Cc: rms@gnu.org, monnier+gnu/emacs@RUM.cs.yale.edu, Pavel@Janik.cz, walters@verbum.org, emacs-devel@gnu.org Original-Received: from fencepost.gnu.org ([199.232.76.164]) by quimby2.netfonds.no with esmtp (Exim 3.12 #1 (Debian)) id 16iGoN-0007Es-00 for ; Tue, 05 Mar 2002 16:25:08 +0100 Original-Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org) by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian)) id 16iGhY-0001aB-00; Tue, 05 Mar 2002 10:18:04 -0500 Original-Received: from rum.cs.yale.edu ([128.36.229.169]) by fencepost.gnu.org with esmtp (Exim 3.33 #1 (Debian)) id 16iGfU-0001Tk-00; Tue, 05 Mar 2002 10:15:56 -0500 Original-Received: (from monnier@localhost) by rum.cs.yale.edu (8.11.6/8.11.6) id g25FFop01808; Tue, 5 Mar 2002 10:15:50 -0500 X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4 Original-To: Al Petrofsky Errors-To: emacs-devel-admin@gnu.org X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.0.5 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Emacs development discussions. List-Unsubscribe: , List-Archive: Xref: quimby.gnus.org gmane.emacs.devel:1742 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:1742 > My solution is to first write the scores securely into a temp file and > then move it to the desired place. This is safe, because if someone > has made the destination filename a symbolic link, then the rename > system call removes the link, rather than overwriting the linked-to file. The idea is alright, but: > This requires storing the file in a subdirectory of /tmp that is > world-writable without restriction, as opposed to /tmp itself, which > normally has its sticky bit set, thus forbidding people from deleting > others' files or renaming over them. This creates another problem, which comes from the fact that Emacs does not have the notion of file descriptor: an attacker can change the temp file into a symlink between the call to make-temp-file and the call to write-region. I really think it's better to require that the parent directory of the file we're writing to is only writable by ourselves and/or by root. Stefan _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://mail.gnu.org/mailman/listinfo/emacs-devel