Re: Possible make_oidjoins_check Security Issue

Bruce Momjian <pgman@candle.pha.pa.us>

From: Bruce Momjian <pgman@candle.pha.pa.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Neil Conway <neilc@samurai.com>, Rod Taylor <pg@rbt.ca>, PostgreSQL Development <pgsql-hackers@postgresql.org>
Date: 2004-10-26T14:47:40Z
Lists: pgsql-hackers
Tom Lane wrote:
> Neil Conway <neilc@samurai.com> writes:
> > On Wed, 2004-10-20 at 06:18, Rod Taylor wrote:
> >> http://secunia.com/advisories/12860/
> 
> > This seems like a rather inconsequential problem,
> 
> Indeed, since ordinary users have no use for make_oidjoins_check.
> It's surely very implausible that anyone would run it as root; and
> even if someone did, the attacker cannot control what gets written.
> 
> > but it should be fixed. The first two ideas that come to mind: use
> > temporary files in $PWD rather than /tmp, or create a subdirectory in
> > /tmp to use for the temporary files.
> 
> I believe that the subdirectory idea is also vulnerable without great
> care.

I believe the proper way to handle this is a new directory under /tmp. 
I use this in my local scripts:

	TMP=/tmp/$$
	OMASK="`umask`"
	umask 077
	if ! mkdir "$TMP"
	then    echo "Can't create temporary directory $TMP." 1>&2
	        exit 1
	fi
	umask "$OMASK"
	unset OMASK

It basically makes sure it creates a new directory under /tmp with a
umask that guarantees no one else can create a file in that directory. 
All temp files are accessed as $TMP/XXX.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073