Re: xsane: tempfile handled insecurely

From: Oliver Rauch (oliver.rauch@Wolfsburg.DE)
Date: Mon Feb 28 2000 - 08:25:15 PST

  • Next message: Kenneth E. Harker: "sane: UMAX Astra 2200 SCSI problems"

    Kevin Dalley wrote:

    > This problem was reported by a Debian user with xsane-0.49.
    >
    > With this version of xsane it is possible to let a user overwrite his
    > own files. Take for example user A with UID 1000 and user B who wants
    > to overwrite a file of A. In this case B creates a symlink
    > /tmp/preview-level-0-1000-mustek:_dev_sg1.ppm (1000 is the UID of user
    > A, mustek:_dev_sg1.ppm is the specification of the scanner) to some
    > file owned by user A, which B wants to be overwritten. If user A uses
    > xsane in combination with the preview window the next time, it will
    > overwrite the file, where the symlink points to, without asking
    > before.
    >

    Hi Kevin,

    I can not imagen how that can happen,

    here is the relevant part of the xsane-0.49 source:

        remove(filename); /* remove existing preview */
        umask(0177); /* creare temporary file with "-rw-------" permissions */
        out = fopen(filename, "w");
        umask(XSANE_DEFAULT_UMASK); /* define new file permissions */

    The temporary file or symlink is deleted before the new one is opend.
    I tested it the way you described it and everything works fine here,
    the file to which the symlink points keeps untouched!

    Please could you check it.

    Bye
    Oliver

    --
    Homepage:       http://www.wolfsburg.de/~rauch
    sane-umax:      http://www.wolfsburg.de/~rauch/sane/sane-umax.html
    xsane:          http://www.wolfsburg.de/~rauch/sane/sane-xsane.html
    E-Mail:         mailto:Oliver.Rauch@Wolfsburg.DE
    

    -- Source code, list archive, and docs: http://www.mostang.com/sane/ To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com



    This archive was generated by hypermail 2b29 : Mon Feb 28 2000 - 08:18:11 PST