[DRE-maint] Is Ruby's Tempfile secure?

Charles Plessy plessy at debian.org
Mon Sep 1 13:17:46 UTC 2008


Greetings, Ruby adepts !

In the course of solving a security bug in a Ruby script, we came to wonder if
the "Tempfile" class is secure or not. Can we have your opinion?

Le Mon, Sep 01, 2008 at 02:53:27PM +0200, Thijs Kinkhorst a écrit :
> On Mon, September 1, 2008 14:44, Charles Plessy wrote:
> > for your information, Upstream solved the problem using the Tempfile
> > class, with calls like this:
> >
> > temp_vf = Tempfile.new("_vf").path
> >
> > I suppose it is as good as stemp?
> 
> I'm afraid the Tempfile class doesn't look secure to me:
> "Creates a temporary file of mode 0600 in the temporary directory whose
> name is basename.pid.n"
> 
> Also the first sentence of the Ruby-stemp website reads:
> "Pure Ruby tempfile implementations appear to suffer from well-known race
> conditions."
> http://ruby-stemp.rubyforge.org/

Hmmm... it is not because they bash their competitor that they are right ;)

Look at the ruby interpretor:

aqwa『~』$ irb
irb(main):001:0> require 'tempfile'
=> true
irb(main):003:0> Tempfile.new("toto")
=> #<File:/tmp/toto20080901-14896-1wek483-0>
irb(main):004:0> Tempfile.new("toto")
=> #<File:/tmp/toto20080901-14896-1tbp21f-0>
irb(main):005:0> 
[1]+  Stopped                 irb
aqwa『~』$ ps aux | grep irb
charles  14896  0.0  0.2  29728  6132 pts/2    T    22:04   0:00 irb     

The ".n" in basename.pid.n seems to be doing the right job.

For the race condition, I really do not know. I think that the upstream author
is quite busy and was kind enough to help me to get a working patch quickly
(the one I submitted to you for review did not work in the end). Unless our
Ruby experts confirm that Tempfile should not be used, I would not like to ask
him to revise his patch.

Have a nice day,

-- 
Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan



More information about the Pkg-ruby-extras-maintainers mailing list