[Python-Dev] Some more on the 'tempfile' naming security issue

[Peter Funk]

[Guido]
> Every few months I receive patches that purport to make the tempfile
> module more secure.  I've never felt that it is a problem.  What is
> with these people?

[Tim]
> Doing a google search on
> 
>     tempfile security
> 
> turns up hundreds of rants.  Have fun <wink>.  There does appear to be a
> real vulnerability here somewhere (not necessarily Python), but the closest
> I found to a clear explanation in 10 minutes was an annoyed paragraph,
> saying that if I didn't already understand the problem I should turn in my
> Unix Security Expert badge immediately.  Unfortunately, Bill Gates never
> issued one of those to me.

On <http://www.insecure.org/sploits/gcc.tmpfiles.html> you can find a 
working example which exploits this vulnerability in older versions
of GCC.

The basic idea is indeed very simple:  Since the /tmp directory is
writable for any user, the bad guy can create a symbolic link in /tmp
pointing to some arbitrary file (e.g. to /etc/passwd).  The attacked
program will than overwrite this arbitrary file (where the programmer
really wanted to write something to his tempfile instead).  Since this
will happen with the access permissions of the process running this
program, this opens a bunch of vulnerabilities in many programs
writing something into temporary files with predictable file names.

www.cert.org is another great place to look for security related info.

Regards, Peter
-- 
Peter Funk, Oldenburger Str.86, D-27777 Ganderkesee, Germany, Fax:+49 4222950260
office: +49 421 20419-0 (ArtCom GmbH, Grazer Str.8, D-28359 Bremen)