KTemporaryFile::createLocalFile()
Thiago Macieira
thiago at kde.org
Thu Jul 5 13:33:57 BST 2007
David Faure wrote:
>1) App calls KTemporaryFile::createLocalFile(), which creates a file,
> opens it, closes it, returns its name
> 2) Another user was running a
> malicious script that watches /tmp (e.g. using inotify), it gets
> notified about the new file.
>3) Said script replaces the new temp file with a symlink to your
> ~/.ssh/id_dsa (or any other file that has value to you) 4) App now
> reopens the file using the path it got from step 1, and this erases
> your ssh private key. Damn!
I'd like to point out that, while we do have that kind of protection for
normal files, non-normal files don't have it. Directories, named pipes,
sockets, etc. are all created directly and they make be susceptible to
symlink attacks.
Though those are more or less protected by the system call itself:
$ touch /tmp/file
$ strace -e mknod mkfifo /tmp/file
mknod("/tmp/file", S_IFIFO|0666) = -1 EEXIST (File exists)
$ strace -e mkdir mkdir /tmp/file
mkdir("/tmp/file", 0777) = -1 EEXIST (File exists)
$ strace -e bind klocalsocketservertest listen:valid
bind(8, {sa_family=AF_FILE, path="/tmp/asocket"}, 15) = -1 EADDRINUSE
(Address already in use)
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20070705/f4166ce2/attachment.sig>
More information about the kde-core-devel
mailing list