Permissions on /tmp

Bill Freeman ke1g.nh at gmail.com
Thu May 23 10:27:38 EDT 2013 

On Thu, May 23, 2013 at 9:43 AM, Michael ODonnell <
michael.odonnell at comcast.net> wrote:

>
>
> > A subdir in /tmp can certainly have my ownership and permissions.
> > And I guess they can't delete the directory because it isn't
> > empty, but with permissions on the parent directory, can't they
> > move it?
>
> Picky, picky, picky.  Well, for completeness I suppose we should
> mention the "deleted file" trick (not necessarily better than your
> flock trick) where your app creates its secret-squirrel file in
> /tmp and then deletes it while holding it open.  (This trick is
> popular with malware eg. the Flash plugin)
>
> Your confederates can identify likely instances of your app using
> ps and then verify by reading the secret-squirrel file via the
> symlinked handle in /proc/$yourPIDhere/fd.  Since the file has
> no directory entry it can't be deleted by friend or foe and only
> those with appropriate privileges can access it as described,
> and all traces vanish upon process termination.
>

Has /proc become POSIX, or are we drifting into the Linux specific here?

>
> Example:
>
>   # echo HiMom > /tmp/SecretSquirrelFile
>
>   # sleep 1000 < /tmp/SecretSquirrelFile &
>   [2] 29570
>
>   # rm      /tmp/SecretSquirrelFile
>
>   # ls -laF /tmp/SecretSquirrelFile
>   ls: cannot access /tmp/SecretSquirrelFile: No such file or directory
>
>   # ls -laF /proc/$(pidof sleep)/fd
>   total 0
>   dr-x------ 2 mod mod  0 May 23 08:58 ./
>   dr-xr-xr-x 8 mod mod  0 May 23 08:57 ../
>   lr-x------ 1 mod mod 64 May 23 08:58 0 -> /tmp/SecretSquirrelFile
> (deleted)
>   lrwx------ 1 mod mod 64 May 23 08:58 1 -> /dev/pts/0
>   lrwx------ 1 mod mod 64 May 23 08:58 2 -> /dev/pts/0
>
>   # readlink /proc/$(pidof sleep)/fd/0
>   /tmp/SecretSquirrelFile (deleted)
>
>   # cat /proc/$(pidof sleep)/fd/0
>   HiMom
>
>
> Certainly nifty enough.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20130523/79e61bac/attachment.html

More information about the gnhlug-discuss mailing list