predictable temp file name may be exploitable

[orlitzky]

If no temporary file is specified, the ./configure process sets,

Temp file:  /tmp/icinga.tmp

Using a predictable name under /tmp is usually exploitable. After the machine reboots but before icinga starts, there is a period of time where anyone on the machine (because /tmp is world-writable) can create /tmp/icinga.tmp. Afterwards, the creator owns that file and can do what he wants with it. If Icinga trusts the contents of the temporary file for anything important, that could be bad. I don't know if that's the case -- I haven't checked what the temp file is used for.

There are two fixes that I'm aware of,

1. Use some other writable directory and not /tmp for your temp files.
2. Use a random temporary file name, like the mktemp utility provides. If the name is random, the attacker can't predict it to create it before you do. Then once the file has been created, the name is no longer a secret, but it doesn't matter because you own the file.

[dnsmichi]

You can change the tmp file location inside the main configuration, and as such you're safe as user. If you want it more reliable, set it during configure run (--with-tmp-dir).

If you think further and try to intercept check results which are temporarily read from disk - that's a more common and general problem with the core's logic to execute checks and put these into a spool directory. If you want a fix for that, you'd need to rewrite the entire core. That's one of the reasons for 2.x.

Still, I see the point - configure uses absolute paths not relative ones. Fixed in master, for anyone who wants to apply the patch.

[orlitzky]

LGTM, the new default will wind up writable only by the icinga user/group. Thanks!