search

ianmiell / shutit

Automation framework for programmers
http://ianmiell.github.io/shutit/
MIT License
2.15k stars 110 forks source link

move /tmp dir to home/.shutit/tmp #298

Closed ianmiell closed 6 years ago

ianmiell commented 7 years ago

some users can't write to /tmp

perpetual-hydrofoil commented 7 years ago

Well, insecure tmp file creation is a primary attack vector. I wasn't able to quickly track down where /tmp is hard-coded to take a look, but try to just avoid /tmp or any other directory directly; instead, let Python securely create your temp file(s) or directories for you with mkstemp or mkdtemp:

https://docs.python.org/2/library/tempfile.html#tempfile.mkstemp

You can specify a specific directory if needed on a different filesystem, but if someone can't write to /tmp, then it's a broken system and probably out of compliance with the LSB/FHS anyway.)

ianmiell commented 7 years ago

I think I resolved this - will re-check.

Thanks for the tip, I'll follow that up. I have run into obscure issues around these things with Cygwin et al.

ianmiell commented 7 years ago

There are systems we have at work (highly regulated/secure env) where one can't write to tmp. PITA.

perpetual-hydrofoil commented 7 years ago

Good point with regards to cygwin! /tmp should be world-writeable with sticky bit, but it's definitely a weak point for insecure scripts, so I can see blocking access -- at least it'd help you catch insecure scripts.

Like this one. :) https://github.com/aws/aws-codedeploy-agent/issues/30