You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As mentioned in https://lwn.net/Articles/250468/ and https://bugs.debian.org/496426 there may be a vulnerability when using tempfiles in /tmp.
In the rancid context the vulnerability isn't that grave, since rancid usually doesn't run as user root but as user rancid, but since rancid is some kind of backup, this may allow to attack your backup.
In the Debian package I fixed this vulnerability with the following patch: https://salsa.debian.org/debian/rancid/-/blob/master/debian/patches/06_tmp_security.patch
This uses mktemp(1) from the coreutils package to create a safe temp directory. In some situations it simply uses /var/lib/rancid (which is not permission 1777 but only accessible by user rancid) as an alternative implementation (not sure, whether I not always used mktemp, but this was 12 years ago...).
I'm not fully sure, what the best solution for upstream rancid package is, since I don't know whether mktemp can be considered to be available on every system (or how to integrate this into autoconf).
Since Debian requests maintainers to forward all Debian optimizations upstream, I'll open this issue here...
Greetings
Roland
The text was updated successfully, but these errors were encountered:
As mentioned in https://lwn.net/Articles/250468/ and https://bugs.debian.org/496426 there may be a vulnerability when using tempfiles in /tmp.
In the rancid context the vulnerability isn't that grave, since rancid usually doesn't run as user root but as user rancid, but since rancid is some kind of backup, this may allow to attack your backup.
In the Debian package I fixed this vulnerability with the following patch: https://salsa.debian.org/debian/rancid/-/blob/master/debian/patches/06_tmp_security.patch
This uses mktemp(1) from the coreutils package to create a safe temp directory. In some situations it simply uses /var/lib/rancid (which is not permission 1777 but only accessible by user rancid) as an alternative implementation (not sure, whether I not always used mktemp, but this was 12 years ago...).
I'm not fully sure, what the best solution for upstream rancid package is, since I don't know whether mktemp can be considered to be available on every system (or how to integrate this into autoconf).
Since Debian requests maintainers to forward all Debian optimizations upstream, I'll open this issue here...
Greetings
Roland
The text was updated successfully, but these errors were encountered: