Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[tcpcrypt-dev] [PATCH v3] avoid symlink attacks in launch_tcpcryptd.sh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 23 10:10:02 PDT 2014


/tmp is world-writable -- if a non-privileged user creates a symlink
in /tmp/tcpcrypt.pid pointing to some file, then the superuser
executing launch_tcpcryptd.sh will truncate that file.

Modern systems will use /run or /var/run for this sort of thing,
rather than /tmp, since /var/run is not world-writable.
---
 user/launch_tcpcryptd.sh | 2 +-
 user/test/test_sessid.sh | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/user/launch_tcpcryptd.sh b/user/launch_tcpcryptd.sh
index 9be678c..2e60268 100755
--- a/user/launch_tcpcryptd.sh
+++ b/user/launch_tcpcryptd.sh
@@ -6,7 +6,7 @@ PORT2=${2:-7777}
 
 TCPCRYPTD=`dirname $0`/src/tcpcryptd
 DIVERT_PORT=666
-PIDFILE=/tmp/tcpcrypt.pid
+PIDFILE=/var/run/tcpcrypt.pid
 
 start_tcpcryptd() {
     LD_LIBRARY_PATH=lib/ $TCPCRYPTD $OPTS -p $DIVERT_PORT &
diff --git a/user/test/test_sessid.sh b/user/test/test_sessid.sh
index 4855e95..0f14473 100644
--- a/user/test/test_sessid.sh
+++ b/user/test/test_sessid.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-PIDFILE=/tmp/tcpcrypt.pid
+PIDFILE=/var/run/tcpcrypt.pid
 
 `dirname $0`/../launch_tcpcryptd.sh &
 sleep 2
@@ -8,4 +8,4 @@ RET=$?
 kill `cat $PIDFILE 2>/dev/null` > /dev/null 2>&1
 rm -f $PIDFILE
 echo "$RES"
-exit $RET
\ No newline at end of file
+exit $RET
-- 
2.0.1



More information about the tcpcrypt-dev mailing list