Xymon Mailing List Archive search

Temporary Files

list Adam Goryachev
Tue, 20 Dec 2005 00:34:18 +1100
Message-Id: <user-cd057ea691a4@xymon.invalid>

On Mon, 2005-12-19 at 09:14 +0100, Henrik Stoerner wrote:
On Mon, Dec 19, 2005 at 03:33:38PM +1100, Adam Goryachev wrote:
Just thought I might clarify tmp file handling for hobbit and hobbit
client specifically.

It would seem to me that tmp file handling is probably insecure...
-rw-r--r--  1 hobbit hobbit     237 2005-12-19 14:41 hobbit_vmstat.12913
-rw-r--r--  1 hobbit hobbit   14996 2005-12-19 14:41 msg.txt

ie, it is easy for an 'attacker' to create a file called msg.txt before
hobbit does (though it seems that file is kept there all the time, so it
would have to be created between system bootup and hobbit startup.

Hobbit does create a tmp directory for itself. Unless you've changed the
configuration, all temporary files are kept in the directory pointed to
by the BBTMP setting in hobbitclient.cfg; by default that is
~hobbit/client/tmp/
Well, I simply installed the 1.2p1 version from the deb file on
sourceforge... I didn't customise/change anything at all. Perhaps this
is different in the deb package version ??

You're right that the statically named "msg.txt" file could be a
problem. In the current snapshot I've changed the client script to 
always generate the message using a temporary filename ("msg.txt.$$" 
which uses the PID of the client process - it changes from time to time).
The hobbitclient.sh script now does

    TEMPFILE="$BBTMP/msg.txt.$$"
    rm -f $TEMPFILE
    touch $TEMPFILE
    ... more commands to build and send the client message ...
    rm -f $BBTMP/msg.txt
    mv $TEMPFILE $BBTMP/msg.txt
If using a private tmp directory, then I don't really see this as a
problem.. however, how about something like:

if [ -x /bin/mktemp ]
then
	MKTEMP=/bin/mktemp
else if [ -s /usr/bin/mktemp ]
then
	MKTEMP=/usr/bin/mktemp
fi
if [ ! -z MKTEMP ]
then
	TEMPFILE=`$MKTEMP $BBTMP/msg.txt.XXXXXXX`
else
	TEMPFILE="$BBTMP/msg.txt.$$"
	rm -f $TEMPFILE
	touch $TEMPFILE
	etc....
fi

that way on hosts that have a mktemp in some 'standard' location, then
it will default to being 'more' secure....

The reason why I save the latest message in msg.txt is for debugging
only. The ideal thing would be to use the "mktemp" command, but that
is not available on all systems where the client may run.

This has been in the snapshots since November.
I suppose also, a simple if [ -e $TEMPFILE ] could check to see if the
file exists, and then just immediately send some red alert to hobbit
server with a reason.... "Possible symlink attack, file xyz already
exists" etc....

Anyway, for me, it isn't a big concern, just noticed it, and thought I'd
ask about it....

Regards,
Adam