[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: os.tmpname security risk?
- From: Steve Litt <slitt@...>
- Date: Wed, 13 Jul 2011 21:33:40 -0400
On Wednesday, July 13, 2011 08:25:23 PM HyperHacker wrote:
> On Wed, Jul 13, 2011 at 18:17, Steve Litt
<slitt@troubleshooters.com> wrote:
> > On Saturday, July 02, 2011 06:29:52 AM HyperHacker wrote:
> >> The 5.1 manual states, for os.tmpname():
> >> > On some systems (POSIX), this function also creates a file
> >> > with that name, to avoid security risks. (Someone else might
> >> > create the file with wrong permissions in the time between
> >> > getting the name and creating the file.)
> >>
> >> But what stops someone from removing that file and creating
> >> their own, or changing its permissions? It doesn't seem like
> >> this really mitigates the risk at all.
> >
> > I think the assumption is you'll use the file very quickly and
> > then erase it, making it very hard for someone to switch out the
> > file during the short time you'll be using it.
> >
> > I rolled my own temp file maker that in my opinion is better than
> > those offered by Lua's distribution:
> >
> > http://www.troubleshooters.com/codecorn/lua/luaos.htm#_Temporary_
> > Files
> >
> > Be careful -- I think the "%%%" in the error message should be
> > "@@@".
> >
> > Good luck.
> >
> > SteveT
> >
> >
> > --
> > Steve Litt
> > Recession Relief Package
> > http://www.recession-relief.US
> > Twitter: http://www.twitter.com/stevelitt
>
> True, you usually open the file immediately after creating it, but
> that leads to the potential security risk/race condition mentioned
> in the first post (and the reason os.tmpname() creates the file
> for you) - there is still a small window of opportunity (which an
> attacker might have various ways of enlarging) to sneak in and
> tamper with the file between the time you create it and the time
> you open it. (Or another app creates the same file, overwriting
> yours during that window - unlikely, but possible.)
If it's a problem having to wait between making up a number, seeing if
it exists, and opening it for write, then what I would do (I'm on
Linux) is write the thing in C and call it from Lua. C has a great
mktemp(), as I remember.
Nothing I currently have justifies that level of effort, but if you're
looking for foolproof all the way down to the operating system, that's
it.
StevET
Steve Litt
Recession Relief Package
http://www.recession-relief.US
Twitter: http://www.twitter.com/stevelitt