Skip Menu |

This queue is for tickets about the Message-Passing-ZeroMQ CPAN distribution.

Report information
The Basics
Id: 89043
Status: new
Priority: 0/
Queue: Message-Passing-ZeroMQ

People
Owner: Nobody in particular
Requestors: dr [...] jones.dk
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: predictable files in /tmp
Date: Mon, 30 Sep 2013 11:14:32 +0200
To: bug-message-passing-zeromq [...] rt.cpan.org
From: Jonas Smedegaard <dr [...] jones.dk>
Hi, I noticed your recent fix for ØMQ bug#140 changing to /tmp if ZMQ_SWAP is enabled. That makes me worry: does that mean ØMQ creates predictable files in a shared writable directory? If so, I'd say that's a bug: It is common practice to chdir to root dir before starting daemons - AFAIUI not only to ensure the path does not disappear while daemon is running, but also to ensure CWD is not writable - exactly to avoid surprise security weaknesses like this. Unless ØMQ only does a silly check for writability (i.e. does not actually write any files to CWD), I suggest to _not_ do a chdir, but instead do a check for write access on our own and fail with a human understandable error if not - hinting about the need for CWD to be writable (and recommending to use a _private_ writable dir if the system has any untrusted users. Regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Download signature.asc
application/pgp-signature 490b

Message body not shown because it is not plain text.