nmh-workers
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Nmh-workers] nmh vs mktemp()

2008-04-05 23:33:08
from [Joel Reicher] [Permanent Link][Original] 
I've been looking at fixing the various insecure uses of mktemp()
in the nmh codebase. I've gradually realised that although some of
them are fixable, some are really very tricky. The trouble is that
much of the code assumes that you can create a temporary file and
then later on reopen it by name[*]; and often this happens by a
very indirect route, with a tempfile name being passed into
functions which might also be using normal message files. Or we
might create a tempfile and then rename it to something else.


Firstly, I think this is the sort of work that should not go into 1.3,
but nor should it be held up by the 1.3 release. It's another reason to
branch.


So I think that it might be better to sidestep the whole issue
by just having nmh create its temporary files in ~/Mail. Because
this directory isn't writable except by the user, there's no
danger of malicious attackers creating symlinks in it as there
is with putting files in /tmp/. Some work would still be
required, but nowhere near as much.

Opinions?


If something is going to be fixed, I think it should be fixed properly.
I haven't looked at this part of the code, but would it *really* be
that difficult to change it to passing a file descriptor around instead
of a name? You'll have the compiler's type checking to help with the
change.

If the name of the file is important in a part of the nmh code, then I
would suggest this issue is a result of the fact that any file with a
significant name is not really a tempfile, and should not be created by
mktemp() in the first place.

As to your proposed fix, I think it's just asking for trouble. /tmp is
(almost) guaranteed to be local, which is one of the reasons it exists.
I would not want to see nmh creating tempfiles on a filesystem which could
be NFS mounted (or any other kind of remote file system). There's also the
issue of reading the Path: profile component. I could probably come up
with a few more reasons to believe what you propose is a bad idea.

Cheers,

        - Joel


_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
http://lists.nongnu.org/mailman/listinfo/nmh-workers
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Nmh-workers] Alas, No nmh in RedHat 4, Joel Reicher
Next by Date:  [Nmh-workers] thoughts on tmp*, Lyndon Nerenberg
Previous by Thread:  Re: [Nmh-workers] nmh vs mktemp(), Peter Maydell
Next by Thread:  [Nmh-workers] thoughts on tmp*, Lyndon Nerenberg
Indexes:  [Date] [Thread] [Top] [All Lists]