←back to thread

Against /tmp

(dotat.at)
257 points todsacerdoti | 6 comments | 22 Oct 24 12:36 UTC | HN request time: 1.062s | source | bottom
1. josephcsible ◴[22 Oct 24 14:43 UTC] No.41914801[source]
If you're opening with O_CREAT|O_EXCL, why does it matter whether the filename is predictable?
replies(3): >>41914941 #>>41915153 #>>41919231 #
2. kijin ◴[22 Oct 24 14:58 UTC] No.41914941[source]
Because other processes can periodically check whether a predictable filename is in use, and guess things you'd rather keep private?
replies(2): >>41915014 #>>41916172 #
3. johnisgood ◴[22 Oct 24 15:05 UTC] No.41915014[source]
Why would you have processes you do not trust, or why not use firejail for those that may pose a security risk?

> Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

It supports "--private" (mounts new /root and /home/user directories in temporary filesystems), along with "--private-{bin,cache,cwd,dev,etc,home,lib,opt,srv,tmp} (plus "noexec /tmp")". It also supports "keep-config-pulse", "keep-dev-shm", and so forth, meaning you can have shared files between process if you so wish (for DBus, etc.).

4. fanf2 ◴[22 Oct 24 15:18 UTC] No.41915153[source]
Denial of service, the next point in that list.
5. josephcsible ◴[22 Oct 24 16:49 UTC] No.41916172[source]
But you wouldn't need to guess names to do that, since the names of files in /tmp are publicly listable.
6. cryptonector ◴[22 Oct 24 22:08 UTC] No.41919231[source]
As u/fanf says, denial of service. The canonical example here would be `/tmp/krb5cc_$UID`, which is where Kerberos libraries keep your Kerberos credentials. If you create that for some other user's UID before they login, they won't be able to use Kerberos (unless they have a clue), causing support calls. This isn't really an issue, but still.

And of course those libraries' code that uses those files had to be written very carefully.

Sure, the more modern thing is to have a daemon called `kcm` that does that and which has an AF_LOCAL socket in... /var/run/, but it's a multi-user-capable daemon, so it doesn't need /var/run/user/${UID}, which as I've noted elsewhere here, is not universally available (for the same reasons that /run/user/${UID} is not either).