From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-30646-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 3044 invoked by alias); 30 Aug 2012 02:12:01 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 30646
Received: (qmail 7751 invoked from network); 30 Aug 2012 02:12:00 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_LOW,
	T_DKIM_INVALID autolearn=no version=3.3.2
Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.google.com designates 209.85.213.171 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:mime-version:content-type:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to:x-mailer;
        bh=KBAoLhklSOb/d37rtr1ftK1wv80gzaaVt7g/n3FfVXs=;
        b=To7Vd3Hz2jpXTve+lHRSqloTr2DHWcCn9CVL588tyZYrKC+A73uz0MpWBISXdndXd7
         1EnannsGH1Dzyj66vNZJJe/vrN/aK+E1PEpx31X1fLij9VCDxneDhpROLs+okyhGrv+x
         2oexiXsR815ERlzQvPZ4B5k+cLEX/7QzsYNVGdG2SjP+gX3vn2nUW04Efo3HXzHKQSOZ
         HgyF1ovtH6m4QyCtQjir6twhzh+Enpj0Ri1f3CkIGp+/Z2xf2bI1OxFDHKDC/A5ta9DQ
         mNLkFdQhn2X1S9ejn1KiY+6nDCosq3ElX3f1lqPQ0UrKPxmcruUNIpGum/y7d1Q3XTUv
         395w==
Subject: Re: default TMPPREFIX unsafe if local malicious users
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Sorin Ionescu <sorin.ionescu@gmail.com>
In-Reply-To: <10BDFE08-7B52-4775-BD19-C5A1B7498202@gmail.com>
Date: Wed, 29 Aug 2012 21:41:33 -0400
Cc: zsh-workers@zsh.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <966E7D56-AC76-4B5B-88DE-B5E625048DE7@gmail.com>
References: <10BDFE08-7B52-4775-BD19-C5A1B7498202@gmail.com>
To: Jeremy Mates <jeremy.mates@gmail.com>
X-Mailer: Apple Mail (2.1278)

On Mac OS X, a temporary directory with permissions 700 is created for =
each user at login: /var/folders/jp/qsb33jvx5hj6vv3zv3rhcgn00000gn/T/.

$TMPPREFIX should be set to $TMPDIR/zsh, not /tmp/zsh.

Sorin

On 29 Aug 2012, at 19:13, Jeremy Mates wrote:

> The default TMPPREFIX of /tmp/zsh allows arbitrary file overwrite =
should a local malicious user have write access to /tmp, for example if =
the target user uses the Functions/Zle/edit-command-line feature after =
the following is performed:
>=20
>  for i in {1..99999}; do ln -s /user/file/to/clobber /tmp/zshecl$i; =
done
>=20
> This issue could perhaps be avoided by locally setting the NOCLOBBER =
option for all code that uses TMPPREFIX, or by providing a mktemp(3) =
interface (if available)?
>=20
> Jeremy