From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-34166-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 12665 invoked by alias); 8 Jan 2015 06:57:17 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 34166
Received: (qmail 13189 invoked from network); 8 Jan 2015 06:57:04 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS
	autolearn=ham version=3.3.2
Date: Wed, 7 Jan 2015 22:48:16 -0800
From: Danek Duvall <duvall@comfychair.org>
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: Zsh hackers list <zsh-workers@zsh.org>
Subject: Re: [PATCH] Re: Insecure tempfile creation
Message-ID: <20150108064816.GA17816@lorien.comfychair.org>
Mail-Followup-To: Danek Duvall <duvall@comfychair.org>,
	Bart Schaefer <schaefer@brasslantern.com>,
	Zsh hackers list <zsh-workers@zsh.org>
References: <20141222203624.GA24855@tarsus.local2>
 <141227223029.ZM15959@torch.brasslantern.com>
 <141227234421.ZM16038@torch.brasslantern.com>
 <141228004101.ZM28486@torch.brasslantern.com>
 <20141229004957.GA1737@tarsus.local2>
 <141228200142.ZM22840@torch.brasslantern.com>
 <20150107220345.GE1714@tarsus.local2>
 <CAH+w=7Y3r3UeFPdHjPsS9arrWWjss2Bco1i0hNsn6fb8sfv7Xw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAH+w=7Y3r3UeFPdHjPsS9arrWWjss2Bco1i0hNsn6fb8sfv7Xw@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2010-04-22)

On Wed, Jan 07, 2015 at 10:22:20PM -0800, Bart Schaefer wrote:

> On Wed, Jan 7, 2015 at 2:03 PM, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> > Coming back to this, it has occurred to me that
> >
> >         mv -f =(:) ${TMPPREFIX:-/tmp/zsh}foo$$
> >
> > wouldn't perform an atomic rename (as intended) if /tmp/zshfoo$$ is a
> > directory or symlink-to-directory.  So hypothetically an attacker might
> > be able to create a file named `basename =(:)` in a directory of his
> > choice owned by the victim.
> 
> Hmm.  Yup, we need "ln -Fh" instead of "mv -f".  Are the -F and -h
> options of "ln" fairly standard?

Neither exists on Solaris ln.  GNU coreutils ln doesn't seem to have -h,
either.  And -F just seems like a bad idea, supported or not.

What about mktemp?  The above construction is pretty weird, anyway.  If an
external command isn't desired, then mktemp seems like a reasonable thing
to make builtin.

Danek