* default TMPPREFIX unsafe if local malicious users
@ 2012-08-29 23:13 Jeremy Mates
2012-08-30 1:41 ` Sorin Ionescu
0 siblings, 1 reply; 2+ messages in thread
From: Jeremy Mates @ 2012-08-29 23:13 UTC (permalink / raw)
To: zsh-workers
The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should a local malicious user have write access to /tmp, for example if the target user uses the Functions/Zle/edit-command-line feature after the following is performed:
for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; done
This issue could perhaps be avoided by locally setting the NOCLOBBER option for all code that uses TMPPREFIX, or by providing a mktemp(3) interface (if available)?
Jeremy
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: default TMPPREFIX unsafe if local malicious users
2012-08-29 23:13 default TMPPREFIX unsafe if local malicious users Jeremy Mates
@ 2012-08-30 1:41 ` Sorin Ionescu
0 siblings, 0 replies; 2+ messages in thread
From: Sorin Ionescu @ 2012-08-30 1:41 UTC (permalink / raw)
To: Jeremy Mates; +Cc: zsh-workers
On Mac OS X, a temporary directory with permissions 700 is created for each user at login: /var/folders/jp/qsb33jvx5hj6vv3zv3rhcgn00000gn/T/.
$TMPPREFIX should be set to $TMPDIR/zsh, not /tmp/zsh.
Sorin
On 29 Aug 2012, at 19:13, Jeremy Mates wrote:
> The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should a local malicious user have write access to /tmp, for example if the target user uses the Functions/Zle/edit-command-line feature after the following is performed:
>
> for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; done
>
> This issue could perhaps be avoided by locally setting the NOCLOBBER option for all code that uses TMPPREFIX, or by providing a mktemp(3) interface (if available)?
>
> Jeremy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-08-30 2:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-29 23:13 default TMPPREFIX unsafe if local malicious users Jeremy Mates
2012-08-30 1:41 ` Sorin Ionescu
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).