[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 07/08/2013 03:33 AM, Jérémy Lal wrote: On 08/07/2013 05:08, Shawn Landden wrote: I installed a few packages yesterday, and today realized npm was wasting 50M of my ram with copies of what it downloaded still in /tmp/npm-# folders I haven't tried to reproduce this yet, but it sounds to me like you might be saying that the names of the /tmp/npm-# folders might be predictably named (e.g. named after the process id). Is this the case? If so, has anyone considered the possibility of an attack via predictable paths in a world-writable directory? it should clean this up, put it in /var/cache, and/or have a command to clean up Issue reproduced. As a quick workaround, you can create ~/tmp and npm will use that instead. Otherwise i believe those leftovers are a bug. it's buggy if it doesn't clean up, regardless of which tmp directory it uses. and npm should probably be respecting $TMPDIR directly following the standard unix conventions, rather than just assuming that the magically-named ~/tmp is preferable to /tmp. --dkg signature.asc Description: OpenPGP digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 08/07/2013 12:38, Daniel Kahn Gillmor wrote: On 07/08/2013 03:33 AM, Jérémy Lal wrote: On 08/07/2013 05:08, Shawn Landden wrote: I installed a few packages yesterday, and today realized npm was wasting 50M of my ram with copies of what it downloaded still in /tmp/npm-# folders I haven't tried to reproduce this yet, but it sounds to me like you might be saying that the names of the /tmp/npm-# folders might be predictably named (e.g. named after the process id). Is this the case? If so, has anyone considered the possibility of an attack via predictable paths in a world-writable directory? I am curious about how `npm install mymodule` could be a target for an attacker, especially considering the temp directory is used only once (at (un)tar times). it should clean this up, put it in /var/cache, and/or have a command to clean up Issue reproduced. As a quick workaround, you can create ~/tmp and npm will use that instead. Otherwise i believe those leftovers are a bug. it's buggy if it doesn't clean up, regardless of which tmp directory it This is what i meant by writing issue reproduced. uses. and npm should probably be respecting $TMPDIR directly following the standard unix conventions, rather than just assuming that the magically-named ~/tmp is preferable to /tmp. Agreed, the workaround i proposed is completely wrong, please read what `man npm-config` says about TMPDIR instead. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 07/08/2013 07:55 AM, Jérémy Lal wrote: I am curious about how `npm install mymodule` could be a target for an attacker, especially considering the temp directory is used only once (at (un)tar times). if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an attacker could watch the process table for a process named npm, and as soon as it appears (say, as pid 13577, create a symlink at /tmp/npm-13577 that points to, say, the home directory of the user npm, which might have the effect of clobbering any similarly-named files. This is a crude attack, but depending on the contents of the tarball it could be pretty unfortunate (e.g. if the tarball contains a file named secring.gpg, and the attacker points the symlink to the victim's ~/.gnupg ?). Agreed, the workaround i proposed is completely wrong, please read what `man npm-config` says about TMPDIR instead. http://sources.debian.net/src/npm/1.2.18~dfsg-3/doc/cli/config.md#L756 suggests that it is supposed to use TMPDIR, which is good :) --dkg signature.asc Description: OpenPGP digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 08/07/2013 14:23, Daniel Kahn Gillmor wrote: On 07/08/2013 07:55 AM, Jérémy Lal wrote: I am curious about how `npm install mymodule` could be a target for an attacker, especially considering the temp directory is used only once (at (un)tar times). if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an attacker could watch the process table for a process named npm, and as soon as it appears (say, as pid 13577, create a symlink at /tmp/npm-13577 that points to, say, the home directory of the user npm, which might have the effect of clobbering any similarly-named files. This is a crude attack, but depending on the contents of the tarball it could be pretty unfortunate (e.g. if the tarball contains a file named secring.gpg, and the attacker points the symlink to the victim's ~/.gnupg ?). I still do not understand if this is really a security issue. IMO if a program on your system does that, the whole system is compromised, you can't really be hardening any software against it. If you disagree, do you mind if we move this discussion to upstream [nodejs] discussion group ? We'll probably find some enlightment there. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 08/07/2013 16:06, Dominique Dumont wrote: On Monday 08 July 2013 14:36:24 Jérémy Lal wrote: I still do not understand if this is really a security issue. IMO if a program on your system does that, the whole system is compromised, you can't really be hardening any software against it. A symlink attack is done by a user of a system against another user on the same system. This is not a worry on your laptop, but may be an issue on a bigger server in a data center Thank you for the explanation. Somehow I understood it was important and forwarded the bug upstream. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel