On Sat, Apr 05, 2008 at 10:52:05PM +0100,
pmaydell(_at_)chiark(_dot_)greenend(_dot_)org(_dot_)uk wrote:
I've been looking at fixing the various insecure uses of mktemp()
in the nmh codebase. I've gradually realised that although some of
them are fixable, some are really very tricky. The trouble is that
much of the code assumes that you can create a temporary file and
then later on reopen it by name[*]; and often this happens by a
very indirect route, with a tempfile name being passed into
functions which might also be using normal message files. Or we
might create a tempfile and then rename it to something else.
So I think that it might be better to sidestep the whole issue
by just having nmh create its temporary files in ~/Mail. Because
this directory isn't writable except by the user, there's no
danger of malicious attackers creating symlinks in it as there
is with putting files in /tmp/. Some work would still be
required, but nowhere near as much.
I have to agree that this is a good solution short of massive code changes. I
believe that users can currently do this by setting their TEMP variable to a
directory that they control, but a systematic use of a temporary directory
specially
for nmh seems like a good policy. Something like ~/Mail/.temp or some such so as
not to interfere with a potential folder called temp.
--
-><- Nick Rusnov
-><- http://nick.industrialmeats.com
-><- nick(_at_)fargus(_dot_)net/nickrusnov(_at_)debian(_dot_)org
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
http://lists.nongnu.org/mailman/listinfo/nmh-workers