[Compilercache-general] RFC: suggestion for secure tmp file creation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I got the following bug report for my Debian package
of compilercache.

    From: Richard Atterer <at...@de...>
    Subject: compilercache: Insecure temporary directory creation
    Date: Sun, 11 Nov 2001 19:05:58 +0100

    Package: compilercache
    Version: 1.0.9-2
    Severity: normal
    Tags: patch

    Hi,

    With 1.0.9-2, you (wisely) moved the cache directory to the user's
    home directory to avoid security problems. However, some users will
    still want to have the directory in /tmp so that cache entries are
    expired automatically. If they do put the cache in /tmp, the patch
    below will increase security by first creating the directory and then
    checking whether it is owned by the user.

    I believe this makes cache dirs in /tmp secure as long as the cache
    dir is in /tmp itself (/tmp/compilercache_$USER) and not in a further
    subdirectory (/tmp/somedir/compilercache_$USER). The worst thing that
    can happen is a "denial of service" if someone else got there first
    and created /tmp/compilercache_$USER files for all user names - not
    really a problem in practice.

    This change breaks the ability to share a cache between >1 users. 
    However, that is evil anyway, not only for security reasons, but also
    because all sorts of "funny" problems can arise by different toolchain
    versions being used on different machines.

    --- compilercache.orig	Sun Nov 11 18:36:54 2001
    +++ compilercache	Sun Nov 11 18:39:34 2001
    @@ -107,6 +107,11 @@
       exit 0
     }

    +if test ! -O "$CACHEDIR" -o ! -G "$CACHEDIR"; then
    +  echo "compilercache: error: \`$CACHEDIR' owned by another user/group" 1>&2
    +  exit 1
    +fi
    +
     # bypass if user temporarily disabled compilercache
     if ! [ "$NOCOMPILERCACHE" = "" ]; then
       ignoremode "NOCOMPILERCACHE environment variable set"

Full details are at

    http://bugs.debian.org/119170

What do you think about this?  I think this
should not be implemented directly, because it
looses the possibility to share cache directories.
But maybe the best solution would be, to add a
new option to the configuration file: if you would
set YES_PLEASE_CHECK_THE_CACHE_DIR_OWNER=1, the
above check could be enabled, and be disabled otherwise.
So again, what do you think?

Jochen
-- 
http://www.mathematik.uni-kl.de/~wwwstoch/voss/