On 07/08/2013 07:55 AM, Jérémy Lal wrote:

> I am curious about how `npm install mymodule` could be a target for an 
> attacker,
> especially considering the temp directory is used only once (at (un)tar 
> times).

if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an
attacker could watch the process table for a process named "npm", and as
soon as it appears (say, as pid 13577, create a symlink at
/tmp/npm-13577 that points to, say, the home directory of the user npm,
which might have the effect of clobbering any similarly-named files.

This is a crude attack, but depending on the contents of the tarball it
could be pretty unfortunate (e.g. if the tarball contains a file named
secring.gpg, and the attacker points the symlink to the victim's
~/.gnupg ?).

> Agreed, the workaround i proposed is completely wrong,
> please read what `man npm-config` says about TMPDIR instead.

suggests that it is supposed to use TMPDIR, which is good :)


Attachment: signature.asc
Description: OpenPGP digital signature

Pkg-javascript-devel mailing list

Reply via email to