[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] nmh vs mktemp()
|
From: |
Nick Rusnov |
|
Subject: |
Re: [Nmh-workers] nmh vs mktemp() |
|
Date: |
Sat, 5 Apr 2008 15:36:41 -0700 |
|
User-agent: |
Mutt/1.5.13 (2006-08-11) |
On Sat, Apr 05, 2008 at 10:52:05PM +0100, address@hidden wrote:
>
> I've been looking at fixing the various insecure uses of mktemp()
> in the nmh codebase. I've gradually realised that although some of
> them are fixable, some are really very tricky. The trouble is that
> much of the code assumes that you can create a temporary file and
> then later on reopen it by name[*]; and often this happens by a
> very indirect route, with a tempfile name being passed into
> functions which might also be using normal message files. Or we
> might create a tempfile and then rename it to something else.
>
> So I think that it might be better to sidestep the whole issue
> by just having nmh create its temporary files in ~/Mail. Because
> this directory isn't writable except by the user, there's no
> danger of malicious attackers creating symlinks in it as there
> is with putting files in /tmp/. Some work would still be
> required, but nowhere near as much.
I have to agree that this is a good solution short of massive code changes. I
believe that users can currently do this by setting their TEMP variable to a
directory that they control, but a systematic use of a temporary directory
specially
for nmh seems like a good policy. Something like ~/Mail/.temp or some such so as
not to interfere with a potential folder called temp.
--
-><- Nick Rusnov
-><- http://nick.industrialmeats.com
-><- address@hidden/address@hidden