Re: temporary file
On Nov 29, 8:45 am, gwowen <gwo...@gmail.com> wrote:
On Nov 29, 8:29 am, "Fred Zwarts" <F.Zwa...@KVI.nl> wrote:
Can't you place the call to tmpnam() and the call to fopen()
in one critical section guarded with a mutex to remove the
race condition?
The problem isn't a race within one's own code. That could be dealt
with by your methods. The problem is this.
Your code
---------
call tmpnam(), get /tmp/pattern_43234532523, say
Attackers code
--------------
Flood /tmp with symbolic links named
pattern_XXXXXXX, all pointing to a
critical file of yours
call fopen(/tmp/pattern_43234532523,"w")
Oops, you've now truncated your critical file to length zero...
You're supposing 1) a remarkably stupid implementation of
tmpnam(), which forces creation in a directory to which everyone
has access, and 2) a remarkably open system, in which untrusted
users can create symbolic links where ever they feel like. (And
if you are on such an open system, you're supposing a remarkably
na=EFve use of tmpnam(). Most of the time, I'll use the results
of tmpnam() to create a directory (with appropriate access
rights), and put all of my temporary files in that.
--
James Kanze