[sane-devel] Temp file races

[Henning Meier-Geinitz]

Hi developers,

Several weeks ago, Tim Waugh contacted me because of some temp file issues in
sane-backends. You may have noticed some activeity concerning this in the CVS.

A possible attack szenario:

* saned runs as root (it shouldn't, but if you have a parport scanner you must)
* the malicious user has a local acount
* he sets a link from /tmp/tmpfile to whatever file he wants to create
  or remove/overwrite
* he runs his favourite backend which will happily open /tmp/tmpfile and
  truncating the file to which the link points (or creates it) with
  ROOT PRIVILIDGES.

Examples:
--> clear /etc/passwd
--> create /etc/nologin

Maybe it was also possible to set up a file with your own content but I didn't
try that (--> /etc/hosts.allow).

I hope we have found all temp file issues, but please have a look at your code
and check for yourself.

The typical problem is:

* open a file in /tmp/ with open() or fopen() without checking for symlinks
* overwrite it 

It doesn't help to create a "unique" name with mktemp. This name can be
guessed and there is enough time between mktemp and open().  It doesn't also
help to remove the link before opening. Because after the unlink() the
malicious user could recreate the link.

There are some ways to avoid this:

* don't use temp files at all
* don't create them in a world writeable directory, use the HOME directory
* use open together with the flag O_EXCL and O_CREAT to make sure, that the
  file (or a symlink) doesn't exist.
* use mkstemp. This is probably the best but I don't know how many platforms
  support it.

Bye,
  Henning