From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8481 invoked by alias); 7 Jan 2015 22:04:02 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 34164 Received: (qmail 23249 invoked from network); 7 Jan 2015 22:03:49 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=x-sasl-enc:date:from:to:subject:message-id :references:mime-version:content-type:in-reply-to; s=mesmtp; bh= RlsdVCRheAGtzfdPJQRq0HwDnMA=; b=Jq6EA4AjW/JWkzs3+ekIJImZ7opVJghA b/JY9SwVJMKnCk+ZFMynFWXpZtCeTXGQQ3bNVZDpJXjlop58eBkVEDrhKtSyxO4C xldAQfuc3h+fXqg5boTy4q0izZ9wVvHJZKCPOXWzFo88Afr0Ie3rEXl7yQakcxGr 2HYphAcNL94= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:date:from:to:subject :message-id:references:mime-version:content-type:in-reply-to; s= smtpout; bh=RlsdVCRheAGtzfdPJQRq0HwDnMA=; b=Qr23j0pPxN7dq9GFxXfr lkmpdTpj6ira1IgDlv2Uuv7DcXWEGRPnAlT2RZC3km9+OiTQmq7l8RgHcOENR1Pr JRGcWRfwIG2k7jUbKpA7VYR0BdwN1kRATYCGAe/aMST6gZs2ff6VqgJMntKll4t3 rUDDc0BZy+r4tI2zLRTblNQ= X-Sasl-enc: T1Y2t67hwIfKbqkhJ9Iok1pxxlPKdRr5ytrwEhhQqXp9 1420668227 Date: Wed, 7 Jan 2015 22:03:45 +0000 From: Daniel Shahaf To: zsh-workers@zsh.org Subject: Re: [PATCH] Re: Insecure tempfile creation Message-ID: <20150107220345.GE1714@tarsus.local2> References: <20141222203624.GA24855@tarsus.local2> <141227223029.ZM15959@torch.brasslantern.com> <141227234421.ZM16038@torch.brasslantern.com> <141228004101.ZM28486@torch.brasslantern.com> <20141229004957.GA1737@tarsus.local2> <141228200142.ZM22840@torch.brasslantern.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <141228200142.ZM22840@torch.brasslantern.com> User-Agent: Mutt/1.5.21 (2010-09-15) Bart Schaefer wrote on Sun, Dec 28, 2014 at 20:01:42 -0800: > On Dec 29, 12:49am, Daniel Shahaf wrote: > } > } Your patches look good to me, including the rmdir > > I avoided using "mkdir -m 0700" in favor of the chmod but then found some > other places where mkdir is passed the -m option. So maybe that should > be tweaked. Coming back to this, it has occurred to me that mv -f =(:) ${TMPPREFIX:-/tmp/zsh}foo$$ wouldn't perform an atomic rename (as intended) if /tmp/zshfoo$$ is a directory or symlink-to-directory. So hypothetically an attacker might be able to create a file named `basename =(:)` in a directory of his choice owned by the victim. I realize this is more far-fetched than the previous scenario. Do we consider this a problem that should be fixed? Cheers, Daniel