hi, i need someone with the right expertise to judge on the severity of this thing qmail-qfilter creates temporary files like this: /* Create a temporary invisible file opened for read/write */ int mktmpfile() { char filename[sizeof(TMPDIR)+19] = TMPDIR "/fixheaders.XXXXXX"; int fd = mkstemp(filename); if(fd == -1) exit(QQ_WRITE_ERROR); /* The following makes the temporary file disappear immediately on program exit. */ if(unlink(filename) == -1) exit(QQ_WRITE_ERROR); return fd; } with TMPDIR defaulting to /tmp the hompage ( http://untroubled.org/qmail-qfilter/ ) says: - Check the definitions at the top of qmail-qfilter.c, especially the value of TMPDIR. This should be set to a temporary directory that only the executor of qmail-qfilter has write access to. which we have not done so far (i've just committed qmail-qfilter-2.1-r1 which does just that). as mkstemp creates files 0666 (according to the german man page)(why?) there would be a possibility of a local user sniffing email on a system running qmail-qfilter by watching /tmp for appropriate files... all your comments, opinions and flames welcome
I'm not in the auditing team, so don't take me too serious here. The german man pages are horribly outdated (10 years old!). glibc >= 2.0.7 creates it with the permission 0600, besides that I consider the valid use of mkstemp as pretty secure.
(In reply to comment #1) > I'm not in the auditing team, so don't take me too serious here. The german man > pages are horribly outdated (10 years old!). glibc >= 2.0.7 creates it with the > permission 0600, besides that I consider the valid use of mkstemp as pretty > secure. > I confirm that the file is created with 0600 as from glibc-2.0.7. In such case there's no security risk, right ?
i think this is safe enough.... and i learned a lesson about german man pages... thanks everybody!
verified