[hobbit] Temporary Files

Mon Dec 19 14:34:18 CET 2005

On Mon, 2005-12-19 at 09:14 +0100, Henrik Stoerner wrote:
> On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:
> > Just thought I might clarify tmp file handling for hobbit and hobbit
> > client specifically.
> > 
> > It would seem to me that tmp file handling is probably insecure...
> > -rw-r--r--  1 hobbit hobbit     237 2005-12-19 14:41 hobbit_vmstat.12913
> > -rw-r--r--  1 hobbit hobbit   14996 2005-12-19 14:41 msg.txt
> > 
> > ie, it is easy for an 'attacker' to create a file called msg.txt before
> > hobbit does (though it seems that file is kept there all the time, so it
> > would have to be created between system bootup and hobbit startup.
> > 
> Hobbit does create a tmp directory for itself. Unless you've changed the
> configuration, all temporary files are kept in the directory pointed to
> by the BBTMP setting in hobbitclient.cfg; by default that is
> ~hobbit/client/tmp/

Well, I simply installed the 1.2p1 version from the deb file on
sourceforge... I didn't customise/change anything at all. Perhaps this
is different in the deb package version ??

> You're right that the statically named "msg.txt" file could be a
> problem. In the current snapshot I've changed the client script to 
> always generate the message using a temporary filename ("msg.txt.$$" 
> which uses the PID of the client process - it changes from time to time).
> The hobbitclient.sh script now does
> 
>     TEMPFILE="$BBTMP/msg.txt.$$"
>     rm -f $TEMPFILE
>     touch $TEMPFILE
>     ... more commands to build and send the client message ...
>     rm -f $BBTMP/msg.txt
>     mv $TEMPFILE $BBTMP/msg.txt

If using a private tmp directory, then I don't really see this as a
problem.. however, how about something like:

if [ -x /bin/mktemp ]
then
	MKTEMP=/bin/mktemp
else if [ -s /usr/bin/mktemp ]
then
	MKTEMP=/usr/bin/mktemp
fi
if [ ! -z MKTEMP ]
then
	TEMPFILE=`$MKTEMP $BBTMP/msg.txt.XXXXXXX`
else
	TEMPFILE="$BBTMP/msg.txt.$$"
	rm -f $TEMPFILE
	touch $TEMPFILE
	etc....
fi

that way on hosts that have a mktemp in some 'standard' location, then
it will default to being 'more' secure....

> The reason why I save the latest message in msg.txt is for debugging
> only. The ideal thing would be to use the "mktemp" command, but that
> is not available on all systems where the client may run.
> 
> This has been in the snapshots since November.

I suppose also, a simple if [ -e $TEMPFILE ] could check to see if the
file exists, and then just immediately send some red alert to hobbit
server with a reason.... "Possible symlink attack, file xyz already
exists" etc....

Anyway, for me, it isn't a big concern, just noticed it, and thought I'd
ask about it....

Regards,
Adam