From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3044 invoked by alias); 30 Aug 2012 02:12:01 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 30646 Received: (qmail 7751 invoked from network); 30 Aug 2012 02:12:00 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_LOW, T_DKIM_INVALID autolearn=no version=3.3.2 Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.google.com designates 209.85.213.171 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=KBAoLhklSOb/d37rtr1ftK1wv80gzaaVt7g/n3FfVXs=; b=To7Vd3Hz2jpXTve+lHRSqloTr2DHWcCn9CVL588tyZYrKC+A73uz0MpWBISXdndXd7 1EnannsGH1Dzyj66vNZJJe/vrN/aK+E1PEpx31X1fLij9VCDxneDhpROLs+okyhGrv+x 2oexiXsR815ERlzQvPZ4B5k+cLEX/7QzsYNVGdG2SjP+gX3vn2nUW04Efo3HXzHKQSOZ HgyF1ovtH6m4QyCtQjir6twhzh+Enpj0Ri1f3CkIGp+/Z2xf2bI1OxFDHKDC/A5ta9DQ mNLkFdQhn2X1S9ejn1KiY+6nDCosq3ElX3f1lqPQ0UrKPxmcruUNIpGum/y7d1Q3XTUv 395w== Subject: Re: default TMPPREFIX unsafe if local malicious users Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=us-ascii From: Sorin Ionescu In-Reply-To: <10BDFE08-7B52-4775-BD19-C5A1B7498202@gmail.com> Date: Wed, 29 Aug 2012 21:41:33 -0400 Cc: zsh-workers@zsh.org Content-Transfer-Encoding: quoted-printable Message-Id: <966E7D56-AC76-4B5B-88DE-B5E625048DE7@gmail.com> References: <10BDFE08-7B52-4775-BD19-C5A1B7498202@gmail.com> To: Jeremy Mates X-Mailer: Apple Mail (2.1278) On Mac OS X, a temporary directory with permissions 700 is created for = each user at login: /var/folders/jp/qsb33jvx5hj6vv3zv3rhcgn00000gn/T/. $TMPPREFIX should be set to $TMPDIR/zsh, not /tmp/zsh. Sorin On 29 Aug 2012, at 19:13, Jeremy Mates wrote: > The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite = should a local malicious user have write access to /tmp, for example if = the target user uses the Functions/Zle/edit-command-line feature after = the following is performed: >=20 > for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; = done >=20 > This issue could perhaps be avoided by locally setting the NOCLOBBER = option for all code that uses TMPPREFIX, or by providing a mktemp(3) = interface (if available)? >=20 > Jeremy