nmh-workers
[Top] [All Lists]

[Nmh-workers] nmh vs mktemp()

2008-04-05 14:52:39

I've been looking at fixing the various insecure uses of mktemp()
in the nmh codebase. I've gradually realised that although some of
them are fixable, some are really very tricky. The trouble is that
much of the code assumes that you can create a temporary file and
then later on reopen it by name[*]; and often this happens by a
very indirect route, with a tempfile name being passed into
functions which might also be using normal message files. Or we
might create a tempfile and then rename it to something else.

So I think that it might be better to sidestep the whole issue
by just having nmh create its temporary files in ~/Mail. Because
this directory isn't writable except by the user, there's no
danger of malicious attackers creating symlinks in it as there
is with putting files in /tmp/. Some work would still be
required, but nowhere near as much.

Opinions?

[*] if you're not convinced that this is broken even if we avoid
the simple mktemp() race condition, you can find fuller details here:
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES

-- PMM


_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
http://lists.nongnu.org/mailman/listinfo/nmh-workers

<Prev in Thread] Current Thread [Next in Thread>