Detecting /tmp race conditions

Programs that create files in /tmp can be a security risk unless they are well written. Good programs will open files using the flags O_CREAT and O_EXCL to create files so that the open fails if the file already exists. Bad programs will not use just O_CREAT, which means that if the file already exists, it will be truncated. On some flavours of Un*x (including Linux 2.1), if the filename exists as a dangling symlink, the target of the symlink will be created; this can be exploited to create an arbitrary file on the system.

It is possible to automate the detection of programs using /tmp unsafely by noticing creation of files in sticky directories without O_EXCL set. This isn't quite the same test, since you are actually interested in shared directories, but in practice it's good enough - it's rare for the sticky bit to be set on directories which are not shared.

In the event that a file in /tmp is truncated as a result of not using O_EXCL, the patch will log the fsuid of the process that called open, and the uid of the file that got truncated. It is unlikely that you will see this log in a real attack since most attacks in /tmp involve symlinks to files outside of /tmp.

The patch was made against linux-2.1.117 and should be applied using

cd /usr/src/linux/ && patch -p1 </path/to/tmpcheck.patch

tmpcheck.patch

Programs that create files in /tmp unsafely

The following programs create temporary files as part of their normal operation, but fail to set O_EXCL.

Mail
Rnmail
bash
byacc
c2ph
ddd
emacs
gcc
lynx-2.8
mail
mailstat
munchlist
netscape
news.daily
nntplist
patch
perl
restore
rdist
s2p
sort
trn
xman
xntpd
ypbind

Programs that are unsafe to use in /tmp

The following programs do not set O_EXCL when creating data files, and cannot be used in /tmp.

any shell with noclobber unset
ci
co
red
touch
vim

Peter Benie <pjb1008@cam.ac.uk>