[Python-Dev] Remove tempfile.mktemp()
Cameron Simpson
cs at cskk.id.au
Sat Mar 23 19:59:35 EDT 2019
On 20Mar2019 12:53, Jeroen Demeyer <J.Demeyer at UGent.be> wrote:
>On 2019-03-20 12:45, Victor Stinner wrote:
>>You can watch the /tmp directory using inotify and "discover"
>>immediately the "secret" filename, it doesn't depend on the amount of
>>entropy used to generate the filename.
>
>That's not the problem. The security issue here is guessing the
>filename *before* it's created and putting a different file or symlink
>in place.
>
>So I actually do think that mktemp() could be made secure by using a
>longer name generated by a secure random generator.
I know it is days later, but to add a little nuance: the security issue
is guessing the filename before it is _used_. Consider:
path = tempfile.mktemp()
with open(path, "w"):
write some secret stuff ...
call_other_function(path)
If an attacker gets in _after_ the open (which creates the file) by
using something like inotify to _observe_ the pathname instead of
guessing and supplants the file then, call_other_function is then
subverted.
Also, the common examples are attackers who are not the user making the
tempfile, in which case the _default_ mktemp is sort of secure with the
above because it gets made in /tmp which on a modern POSIX system
prevents _other_ uses from removing/renaming a file. (And Eryk I think
described the Windows situation which is similarly protected).
However, mktemp somewhere else is not so protected.
And the attacker might be malware running as the orignal user (yes the
game may already be overin that case for other reasons).
However, I wanted to make the point that the security issue isn't around
creation but use - trusting the mktemp pathname to be the same state as
it was earlier.
Cheers,
Cameron Simpson <cs at cskk.id.au>
More information about the Python-Dev
mailing list