| Subject: | euid in _is_safe(); safe_level(MEDIUM) for taint mode |
Hello,
[ Recently I posted this message to perl5-porters mailing list,
but later realized I should have used rt.cpan.org. ]
The patch is explained below.
--- File/Temp.pm- 2005-04-03 15:27:16 +0000
+++ File/Temp.pm 2005-08-16 22:50:39 +0000
@@ -679,11 +679,11 @@ sub _is_safe {
return 1 if $^O eq 'VMS'; # owner delete control at file level
# Check to see whether owner is neither superuser (or a system uid) nor me
- # Use the real uid from the $< variable
+ # Use the effective uid from the $> variable
# UID is in [4]
- if ($info[4] > File::Temp->top_system_uid() && $info[4] != $<) {
+ if ($info[4] > File::Temp->top_system_uid() && $info[4] != $>) {
- Carp::cluck(sprintf "uid=$info[4] topuid=%s \$<=$< path='$path'",
+ Carp::cluck(sprintf "st_uid=$info[4] topuid=%s euid=$> path='$path'",
File::Temp->top_system_uid());
$$err_ref = "Directory owned neither by root nor the current user"
@@ -2241,4 +2241,10 @@ security enhancements.
=cut
+{
+ no strict 'refs';
+ File::Temp->safe_level(MEDIUM)
+ if ${"\cTAINT"};
+}
+
1;
End of patch
First, real/effective UID distinction is essential for setuid scripts.
Filesystem permissions are controlled by the effective UID of the
process. When a privileged script is checking if the directory is safe,
it should check that the directory is *not* owned by the caller.
Otherwise, the user can replace a temporary file created by the
privileged process, which is almost certainly not what we want.
Second, I suggest to enable MEDUM security level for taint mode,
which is on when running setuid/setgid scripts. It's only on MEDUM
level that the above _is_safe() security check is performed.
--
Alexey Tourbin
ALT Linux Team