Bug#495193: predictable filename if too short template used
mktemp /tmp/$0.$$.X The problem here is that you are using too short template. Try: mktemp /tmp/$0.$$.XXX using only 5 * X as in your version makes your app quite possibly brute-forceable. This is the way it should be (Opensuse): I suspect opensuse uses the gnu coreutils version of mktemp? I suggest you use a) a mixture of letters and numbers for mktemp Which is what mktemp does. You might want to read the manpage of mktemp. Agreed, that using pid as part of filling the is quite pointless thou. Alternatively mktemp could require a minimum of X chars. -- rm -rf only sounds scary if you don't have backups -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#495193: predictable filename if too short template used
On 2008-08-15 11:21 +0200, Riku Voipio wrote: mktemp /tmp/$0.$$.X The problem here is that you are using too short template. Try: mktemp /tmp/$0.$$.XXX using only 5 * X as in your version makes your app quite possibly brute-forceable. Not really, to make mktemp fail with 5 X's an attacker would have to create 52^5 = 380204032 file names, which would probably make the file system run out of inodes. This is the way it should be (Opensuse): I suspect opensuse uses the gnu coreutils version of mktemp? Seems so. Opensuse 11.0 no longer has an mktemp package, while their package from 10.3 shows the same behavior as the Debian version. I suggest you use a) a mixture of letters and numbers for mktemp Which is what mktemp does. You might want to read the manpage of mktemp. Apart from the pid, mktemp only uses the letters A-Z and a-z. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#495193: predictable filename if too short template used
Am 15.08.2008 11:21, Riku Voipio schrieb: mktemp /tmp/$0.$$.X The problem here is that you are using too short template. Try: mktemp /tmp/$0.$$.XXX The problem with that is that scripts with X=6 are not portable to other Unices. And to compensate Debian's ineffectiveness here by if-statements is no great thing either. I would rather prefer of getting this fixed in the first place. Besides: A program should make sure, that it provides the appropriate level of security, not the user. If you put security in the hand of users, where it is not needed, that's bad. I am sure that not every user, i.e. shell programmer, understands the issue as well as we both. using only 5 * X as in your version makes your app quite possibly brute-forceable. I see you got the point. ;-) On other Linux' you have with only 5 chars a randomness of (10+26)^5 = 60466176 whereas on DEBIAN it's close to zero. ;-) With 6 chars 2.176.782.336 on other systems, on debian worst case ~36. This is the way it should be (Opensuse): I suspect opensuse uses the gnu coreutils version of mktemp? [EMAIL PROTECTED]:~|0% rpm -qf =mktemp coreutils-6.11-9.1 [EMAIL PROTECTED]:~|0% BTW: An old Ubuntu 6.06 as well a sarge system behave also as I would expect: [EMAIL PROTECTED]:~ 0$ cat /etc/debian_version 3.1 [EMAIL PROTECTED]:~ 0$ mktemp /tmp/name.XX /tmp/name.m6WAqO [EMAIL PROTECTED]:~ 0$ dpkg -S `which mktemp` debianutils: /bin/mktemp [EMAIL PROTECTED]:~ 0$ I cannot comprehend why that changed in 4.0. I suggest you use a) a mixture of letters and numbers for mktemp Which is what mktemp does. You might want to read the manpage of mktemp. Yes. You have there another bug: number of unique filenames mktemp can return depends on the number of ‘Xs’ provided; ten ‘Xs’ will result in mktemp testing roughly 26 ** 10 combinations. 26 is the number of chars, 10 is the number of numbers. So if you really would have a mixture of letters/numbers the combinations would be 36^10. But as you lost 4-5 digits now it is 36^6 or 36^5 when you use 10 Xs. Agreed, that using pid as part of filling the is quite pointless thou. Ok, so it would be great if you could fix that. Cheers, Dirk -- Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org Beratung IT-Sicherheit + Open Source Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F - Found core file older than 7 days: /usr/share/man/man5/core.5.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#495193: predictable filename if too short template used
Am 15.08.2008 12:05, Sven Joachim schrieb: On 2008-08-15 11:21 +0200, Riku Voipio wrote: using only 5 * X as in your version makes your app quite possibly brute-forceable. Not really, to make mktemp fail with 5 X's an attacker would have to create 52^5 = 380204032 file names, which would probably make the file system run out of inodes. WRT 52: Oh, yes. I missed lower case chars ;-) So my calculation for the right system (TM) -- including numbers -- would be even better: 62^5. This is the way it should be (Opensuse): I suspect opensuse uses the gnu coreutils version of mktemp? Seems so. Opensuse 11.0 no longer has an mktemp package, while their package from 10.3 shows the same behavior as the Debian version. OT Good point, can confirm it on opensuse 10.2 /OT Apart from the pid, mktemp only uses the letters A-Z and a-z. Yes, looking at it more closely: That's another point which is not understandable. Please use numbers, too (see point a in initial e-mail) ! Cheers, Dirk -- Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org Beratung IT-Sicherheit + Open Source Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F - Found core file older than 7 days: /usr/share/man/man5/core.5.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#495193: predictable filename if too short template used
On Fri, Aug 15, 2008 at 12:04:22PM +0200, Dirk Wetter wrote: Am 15.08.2008 11:21, Riku Voipio schrieb: mktemp /tmp/$0.$$.X The problem here is that you are using too short template. Try: mktemp /tmp/$0.$$.XXX The problem with that is that scripts with X=6 are not portable to other Unices. You seem to be under the iimpression that only Debian's mktemp behaves this way and that mktemp is standard. See www.mktemp.org Since mktemp is not standard, so the portabity argument is a bit moot. The mktemp debian uses comes from openbsd. Another common implementation comes from coreutils. The coreutils implemntation supports more than 6=X, so I guess there is some other implementation that for some weird reason has that limit. Whatever the case, you will need ifdef anyway to deal with all the unixes that don't ship with mktemp. Ok, so it would be great if you could fix that. Certainly, but I disagree with alarmist reporting. Previously unknown security bugs should be reported over private mail to either the security team or upstream authors directly. -- rm -rf only sounds scary if you don't have backups -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
