[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jul 8 12:23:51 UTC 2013
On 07/08/2013 07:55 AM, Jérémy Lal wrote:
> I am curious about how `npm install mymodule` could be a target for an attacker,
> especially considering the temp directory is used only once (at (un)tar times).
if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an
attacker could watch the process table for a process named "npm", and as
soon as it appears (say, as pid 13577, create a symlink at
/tmp/npm-13577 that points to, say, the home directory of the user npm,
which might have the effect of clobbering any similarly-named files.
This is a crude attack, but depending on the contents of the tarball it
could be pretty unfortunate (e.g. if the tarball contains a file named
secring.gpg, and the attacker points the symlink to the victim's
~/.gnupg ?).
> Agreed, the workaround i proposed is completely wrong,
> please read what `man npm-config` says about TMPDIR instead.
http://sources.debian.net/src/npm/1.2.18~dfsg-3/doc/cli/config.md#L756
suggests that it is supposed to use TMPDIR, which is good :)
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20130708/d7df276c/attachment.sig>
More information about the Pkg-javascript-devel
mailing list