#3755 Insecure tmpdir usage

[Michael Orlitzky]

While troubleshooting another bug, I noticed that maxima (a) defaults to using /tmp for its temporary directory on UNIX-like systems; and (b) does not use the secure filename facilities to create files there. This leads to some well-known exploits.

To summarize that page in a sentence or two: the /tmp directory is world-writeable, so if someone knows the filename that you're going to use ahead of time, he can "steal" it (by creating it, after which he is the owner) and then insert malicious data or code into it.

Grepping the source code suggests that the problem is widespread, but here's an example for good measure:

(%i1) plot2d(sin(x),[x,0,2*%pi],[gnuplot_term,dumb]);
...                                                                         
(%o1)            [/tmp/maxout25041.gnuplot, /tmp/maxplot.txt]

The first filename is easy to guess, and the second is impossible not to guess.

When you really need a temporary file, the solution is pretty easy: use something like mkstemp instead. All languages have similar functions these days.

If you don't really want a temporary file, some more thought may be required. If the file needs to stick around in a predictable location, some other pseudo-temporary storage location writeable only by the current user is needed.

[Gunter Königsmann]

Even files created by mkstemp and deleted directly afterwards can be hijacked by a process that has your privilleges. Don't know if that is a security problem, too, though.

[Michael Orlitzky]

If someone else gains access to a process that has your privileges, you're already dead. The issue with predictable filenames is that anyone can write to them -- not just someone with your privileges. For example, if someone hacks a Wordpress site running as "nobody", they can pre-emptively steal any predictable temporary files that root is going to use. Whether or not that can actually be exploited depends on the nature of the temporary file, but there's almost always something bad you can do if you try hard enough.

It's hacky, but the mk(s)temp family of functions makes the scenario "secure with high probability" by making the names hard to guess.

[Jaime E. Villate]

Thanks for your bug report, Michael. It is not forgotten. I will fix it while I'm working in making sure Gnuplot also manages to create the files it is supposed to.

[Jaime E. Villate]

Fixed with commit [51704c]. The result of the command

plot2d(sin(x),[x,0,2*%pi],[gnuplot_term,dumb]);

is now something such as

(%o1)     [/tmp/9m3wo9witaijjywu.gnuplot, /tmp/ix33l5ezn2o7innk.txt]

with random strings.

[Michael Orlitzky]

Thank you! That's a big improvement.