Bugzilla – Bug 7536
need a generalized mk_tmp_dir function for all utilities to use
Last modified: 2007-08-09 16:38:42 UTC
Its come to our attention that a lot of files live in /tmp and sorcery doesnt check before writting stuff to them in some cases, with clever use of symlinks this can cause sorcery to destroy valuable data and opens the door for security problems. The main way to solve all these problems is to force all temporary file access to be done in a protected directory. cast already has this infrastructure in place. I think the easiest way to go about this is to have all utilities carry a global TMP_DIR variable, and all functions that need to write to a file must create it under $TMP_DIR (which presumably is known to be protected).
Ive got a slightly more robust mk_tmp_dirs function, i'll submit it once im done testing it. After that we'll do this in two phases. phase 1 make all the utility scripts run mk_tmp_dirs phase 2 make all the functions use $TMP_DIR (since all scripts do this it will work) The short version is, we'll provide $TMP_DIR as a global, and so long as no one deletes it and rebuilds it other than mk_tmp_dirs its secured through permission handling.
phase one is complete at change 45229. A sub-goal is to extend mk_tmp_dirs to work with unprivaldged users so gaze can use it as well. Right now it assumes that its using /tmp/sorcery (which must be owned by root) and that its running as root, and thus able to create directories owned by root. Right now Im more concerned with the processes that run as root.
this is fixed on my laptop i just need to finish testing before i submit...
this is fixed in devel at change 48651, everything uses $TMP_DIR instead of /tmp or somewhere else and $TMP_DIR is owned by root, only writable by root and guarenteed to be empty unless someone has root privaledges (at which point the gig is up anyway)
mass closing fixed bugs.