Subject: Re: [ecasound] Fw: Bug#86747: ecawave: insecure and broken tmp-file handling
From: Kai Vehmanen (kaiv@wakkanet.fi)
Date: Mon Feb 26 2001 - 03:28:00 EET
On 26 Feb 2001, Robert Bihlmeyer wrote:
>> True, I've relied solely on 'tmpdir()'.
> Replacing tmpnam(0) with tempnam(0, 0) should take care of that. But
> you must use O_EXCL on the subsequent open(), or you're open to
> symlink attacks. Or just use mkstemp() or tmpfile().
Hmm, this is a bit tricky. Now plain file descriptor (mkstemp()) or
FILE* handle (tmpfile()) won't do, cause ecawave doesn't have
direct access to the temp file. As the temp file has to be converted
into a libecasound audio object, we will not know how it is opened,
or what code handle it; it might even be dynamically loaded as a plugin.
So we need to get a filename for the tempfile. I guess mkstemp() is still
the best alternative. If I remember right, it changes the template
given as argument into a real filename.
>>> * Leaves tempfiles around when exited via window-close.
> Simply start ecawave, "Open", enter file name, "Ok", select a range,
> "Cut".
[...]
> Selecting "close" will remove the Y files but not the X file. Closing
> the window by means of the window-manager will leave all of the files.
> I can reproduce this 100 %.
Ok, both cases are identified as bugs and are fixed (CVS +
0.3dev4). Thanks for the test cases!
>> Nope, you can change this by editing your ~/.ecawaverc (see ecawave
> Is there some reason that the clipboard is the same across
> invocations? So that you can copy between different windows? Perhaps a
> random name could be used - at least subprocesses could get the name
> quit easily.
Actually I've found it useful to have a persistant clipboard that holds
its contents over sessions. Hmm, I can think of a few alternatives:
(a) encode the user name into the default clipboard name, ie.
"$TMPDIR/ecawave-user-clipboard.wav"
(b) put the clipboard by default under user's home directory (and thus
avoid symlink attacks), "~/ecawave-clipboard.wav"
... comments?
> The other possibility is creating a new subdirectory in the tmp dir
> ($TMP;$TMPDIR;/tmp; as above), that is owned by the user and mode 755
> or less.
Hmm, this might not be a bad alternative. So we'd first create a
user-specific directory with mkdir("$tmpdir/ecawave-user", 0700),
and use our own tmpname generator to create the filenames. I'm assuming
here that
- mkdir is atomic (ie. behaves like open() with O_EXCL)
- files under the created subdirectory are safe from
symlink attacks and other kinds of abuse even though
they are not opened with O_EXCL (nor using mkstemp())
> That seems to be a bit of work, since what you're doing now is
> generating the name on in one layer, and opening the file in a
> completely different one. In short-term fix for the security problems
And going even further, it's not guaranteed that libecasound will handle
the file i/o. At least in theory it's possible to renamed the clipboard to
"clipboard.mp3". In this case, libecasound will fork mpg123 and lame to
access the it!
> tmpname instead of tmpnam; randomize the clipboard file like all the
> other tmp-files.
What do others think? Should ecawave's clipboard be persistant, or should
it be session-specific (ie. when you close ecawave clipboard is deleted)?
-- . http://www.eca.cx ... [ audio software for linux ] /\ . . http://www.eca.cx/aivastus ... [ aivastus net radio ] /\ .-- To unsubscribe send message 'unsubscribe' in the body of the message to <ecasound-list-request@wakkanet.fi>.
This archive was generated by hypermail 2b28 : Mon Feb 26 2001 - 02:47:18 EET