[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8671.1327334563@turing-police.cc.vt.edu>
Date: Mon, 23 Jan 2012 11:02:43 -0500
From: Valdis.Kletnieks@...edu
To: "Larry W. Cashdollar" <larry0@...com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: usb_modeswitch/pppd -detach
On Sun, 22 Jan 2012 02:38:57 GMT, "Larry W. Cashdollar" said:
> This is still a race condition since the pid can be guessed easily as well. It's better to use mktemp /tmp/debug.XXXXXXXXXX.
No, that's *still* beatable, because if you know what the PID will be you can
guess what the XXXX will be filled in with (it's basically just salted with the
contents of the target directory, so anybody who can do a readdir() and can
guess the pid can predict the value). What you *want* to do is read the mktemp
documentation and find this example on how to put the file into a securely
created subdirectory rather than directly in /tmp:
* Create a secure fifo relative to the user's choice of `TMPDIR',
but falling back to the current directory rather than `/tmp'.
Note that `mktemp' does not create fifos, but can create a secure
directory in which the fifo can live. Exit the shell if the
directory or fifo could not be created.
$ dir=$(mktemp -p "${TMPDIR:-.}" -d dir-XXXX) || exit 1
$ fifo=$dir/fifo
$ mkfifo "$fifo" || { rmdir "$dir"; exit 1; }
(The -d option creates a subdirectory. Unlike open() or creat() of a normal
file, which will chase a symlink if it exists, the mkdir() system call will
fail with EEXIST if there's a symlink waiting there. And once you have a mode
700 directory owned by yourself, it's kind of hard for the attacker to drop a
symlink into there behind your back).
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists