temp file creation problem in inn

Russ Allbery rra at stanford.edu
Sat Dec 30 01:28:23 UTC 2000



Steve Beattie <steve at wirex.net> writes:

> This code passes innconf->pathtmp + name to mktemp. lib/getconfig.c
> reads inn.conf looking for the pathtmp setting and sets innconf->pathtmp
> to that setting (it also sets the TMPDIR environment variable to the
> same).

innconf->pathtmp should under no circumstances be set to /tmp or
/usr/tmp.  From inn.conf(5):

     pathtmp
         Where INN puts temporary files.  For security reasons, this is
         not the same as the system temporary files directory (INN creates
         a lot of temporary files with predictable names and does not go
         to particularly great lengths to protect against symlink attacks
         and the like; this is safe provided that normal users can't write
         into its temporary directory).  It must be on the same partition
         as pathincoming for rnews(1) to work correctly.  The default
         value is set at configure time and defaults to pathnews/tmp.

This sounds like a security bug in Red Hat's INN RPM.  INN as shipped by
ISC has used a temporary directory separate from the system directory for
quite some time (it's not new in 2.3).

> NOTE: The patch to nntpget.c above is incorrect (my fault, sorry). The line:

> +	if ((tmpfd = mkstemp(temp)) == -1 || (F = fopen(temp, "w+")) == NULL) {

> should be changed to:

> +	if ((tmpfd = mkstemp(temp)) == -1 || (F = fdopen(tmpfd, "w+")) == NULL) {

Thanks.

I'm hanging on to the patch... at some point we'll get or I'll end up
writing a mkstemp replacement for systems that don't have it, and then it
will come in handy.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list