default TMPPREFIX unsafe if local malicious users

default TMPPREFIX unsafe if local malicious users

[Jeremy Mates]

The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should a local malicious user have write access to /tmp, for example if the target user uses the Functions/Zle/edit-command-line feature after the following is performed:

  for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; done

This issue could perhaps be avoided by locally setting the NOCLOBBER option for all code that uses TMPPREFIX, or by providing a mktemp(3) interface (if available)?

Jeremy

Re: default TMPPREFIX unsafe if local malicious users

[Sorin Ionescu]

On Mac OS X, a temporary directory with permissions 700 is created for each user at login: /var/folders/jp/qsb33jvx5hj6vv3zv3rhcgn00000gn/T/.

$TMPPREFIX should be set to $TMPDIR/zsh, not /tmp/zsh.

Sorin

On 29 Aug 2012, at 19:13, Jeremy Mates wrote:

> The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite should a local malicious user have write access to /tmp, for example if the target user uses the Functions/Zle/edit-command-line feature after the following is performed:
> 
>  for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; done
> 
> This issue could perhaps be avoided by locally setting the NOCLOBBER option for all code that uses TMPPREFIX, or by providing a mktemp(3) interface (if available)?
> 
> Jeremy