dangerous use of `/tmp` (multiple places)
schleuder appears to have a number of places where it uses predictable or guessable temporary paths that could be used as attack vectors by anyone on the system. For example, if i know that an admin tends to run the keyring update script with DEBUG
set, and that script invokes pinentry-clearpassphrase
, i can cause schleuder to append data to an arbitrary file with a symlink attack on /tmp/pinentry.log
.
i found these just by searching for /tmp
, i don't know if there are any other uses of this antipattern in the codebase:
bin/pinentry-clearpassphrase: File.open('/tmp/pinentry.log', 'a') do |f|
bin/pinentry-clearpassphrase:TMPDIR = "/tmp/schleuder-#{TMPNAME}"
lib/schleuder/gpgme/ctx.rb: log = "/tmp/schleuder-#{name}-#{rand}.log"
spec/schleuder.yml:lists_dir: /tmp/schleuder-test/
spec/schleuder.yml:listlogs_dir: /tmp/schleuder-test/
spec/spec_helper.rb: pid = Process.spawn('spec/sks-mock.rb', [:out, :err] => ["/tmp/sks-mock.log", 'w'])
the obfuscations like #{TMPNAME}
and #{rand}
aren't usually sufficient to defend against an attacker on the same system who might be able to write to the shared /tmp
folder.
If schleuder needs a temporary file, it should use a more principled approach -- either have a dedicated space for tmpfiles, owned and controlled exclusively by the schleuder user itself, and make your statically-named files within that location, or use one of the OS-level primitives to generate a new non-colliding temporary filename (see libc's mkstemp()
for an example, i don't know the equivalent in ruby)