UNIX for Dummies Questions & Answers

Hello,

One of the senior network admins at work told me that I should not hard code temp files into my scripts. Rather I should use the mktemp commands in the script to create them on the fly.

His argument was that if a malicious user knew the name of my temp files in the script they could create a symbolic link based on that name to a more important file to overwrite it. So if my temp file was called temp1 the hacker could create a symbolic link to say /etc/passwd.

On my system I created a symbolic link called temp1 pointing to /etc/passwd and then I used touch to create a file called temp1 to see what would happen. But when I tried to create the file with touch, most likely because the symbolic link called temp 1 was already there.

Hence my question: Is that the sysadmin said is true in light of my experiment? And if not, why should I use mktemp instead of hard coding tempf files in my scripts?

IMO? If a hacker is guessing filenames, he's not a very good hacker!

The only significant difference (apart from the name) I can see with whatever.$$ and mktemp is the permissions (600).

So perhaps the race condition the man page is referring to is the time it takes you to chmod a file?

He has a point, I think, but IMO not a very big one.

It's safe enough to touch /etc/passwd, but imagine what would happen if you'd overwrote it instead.

Using that predictable a name for your temp files has another problem though: What if you want to run two instances of your script at once? I usually do something like

Code:

TMPFILE="/tmp/$$-myprogram"

so each process has a different tempfile. That's only a half step away from using mktemp...

1) What does the $$ do?
2) Was the senior administrator write about his example concerning symbolic links? Like I said, when I tried it did not work (symbolic link will not overwrite /etc/passwd since it is already there) I was using a test system so no worries...had it overwritten /etc/passwd I would not be in trouble (smile).

1. the $$ is the PID number.
so /tmp/program.$$ becomes /tmp/program.10263 or maybe /tmp/program.542

2. the symbolic link will only let you over write the passwd file if your program is running as root.
is it a risk? yes, but soon as you start writing shell script that run as root you open yourself up to many possable security holes.

his use of mktemp is the right way of doing it, I would recomend you change your script to use it if you can.
if nothing else you will get on his good side :-)

Consider this: Your program uses a temporary file with a predictable name, to be used as a log. To this log, you write any input that isn't acceptable. A black-hat hacker now creates a symlink to /etc/passwd, and inputs this to your program:

Code:

toor:aaQSqAReePlq6:0:0::/tmp:/bin/sh

If everything goes well he has now access to a user called "toor" with an empty password and full administration rights. Not good, wouldn't you say?

Oh yes it will. A symlink, if it's not broken, acts just like the file it points to.

Code:

$ mkdir a
$ cd a
$ echo qwertyuiop > b
$ ln -s b c
$ echo asdf > c
$ cat b
asdf
$