I've been looking at fixing the various insecure uses of mktemp() in the nmh codebase. I've gradually realised that although some of them are fixable, some are really very tricky. The trouble is that much of the code assumes that you can create a temporary file and then later on reopen it by name[*]; and often this happens by a very indirect route, with a tempfile name being passed into functions which might also be using normal message files. Or we might create a tempfile and then rename it to something else.
So I think that it might be better to sidestep the whole issue by just having nmh create its temporary files in ~/Mail. Because this directory isn't writable except by the user, there's no danger of malicious attackers creating symlinks in it as there is with putting files in /tmp/. Some work would still be required, but nowhere near as much. Opinions? [*] if you're not convinced that this is broken even if we avoid the simple mktemp() race condition, you can find fuller details here: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html#TEMPORARY-FILES -- PMM _______________________________________________ Nmh-workers mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/nmh-workers
