Closed ianmiell closed 6 years ago
Well, insecure tmp file creation is a primary attack vector. I wasn't able to quickly track down where /tmp is hard-coded to take a look, but try to just avoid /tmp or any other directory directly; instead, let Python securely create your temp file(s) or directories for you with mkstemp or mkdtemp:
https://docs.python.org/2/library/tempfile.html#tempfile.mkstemp
You can specify a specific directory if needed on a different filesystem, but if someone can't write to /tmp, then it's a broken system and probably out of compliance with the LSB/FHS anyway.)
I think I resolved this - will re-check.
Thanks for the tip, I'll follow that up. I have run into obscure issues around these things with Cygwin et al.
There are systems we have at work (highly regulated/secure env) where one can't write to tmp. PITA.
Good point with regards to cygwin! /tmp should be world-writeable with sticky bit, but it's definitely a weak point for insecure scripts, so I can see blocking access -- at least it'd help you catch insecure scripts.
Like this one. :) https://github.com/aws/aws-codedeploy-agent/issues/30
some users can't write to /tmp