2016-11-02 13:32:44 +0000, Martijn Dekker: [...] > If both 'mkdir' and 'ln' operate atomically, there could be a safe > workaround for creating a regular file directly under /tmp. It would > involve creating a (very) temporary directory under /tmp using 'mkdir > -m700', then creating the file inside there, setting the mode, etc. with > no need for atomicity, then attempting to 'ln' that file back to /tmp > until we've got an available name. Do you think this could work? [...]
I don't think you can use ln here. ln "$tempdir/file" "$tempfile" would create a "$tempfile/file" link if "$tempfile" existed and was of type directory or a symlink eventually resolving to a directory. Same problem with "mv" (which I think would work just as well (with LC_ALL=C mv -i < /dev/null 2> /dev/null)) It would not clobber a file but could create one in unwanted places like /etc/profile.d or /var/spool/cron/crontabs or just /tmp/foo/ where the attacker could replace it with his own one. You could use "link" (Unix, not POSIX), or "ln -T" (GNU, not POSIX) or "mv -Tn" (GNU) instead. -- Stephane
