Writing crash reports to `/tmp/pymux.crash` might be insecure

[chriskuehl]

Hi,

Awesome project! I'm looking at some code in main.py:

            # When something bad happens, always dump the traceback.
            # (Otherwise, when running as a daemon, and stdout/stderr are not
            # available, it's hard to see what went wrong.)
            with open('/tmp/pymux.crash', 'wb') as f:
                f.write(traceback.format_exc().encode('utf-8'))
            raise

I believe this is somewhat dangerous. An attacker can create a symlink like /tmp/pymux.crash -> /etc/passwd. If pymux running as the root user then crashes, pymux will write into the symlink, clobbering the file it points at (in this case, /etc/passwd).

Modern Linux kernels have protection against this as long as fs.protected_symlinks is enabled, but it seems to be disabled by default in the kernel (apparently enabled by default in Debian, though). I don't know about OS X protections.

Some possible ways to avoid that:

• Write inside a user directory instead (e.g. pip writes to ~/.pip/pip.log).
• Use a randomized name for the crash file. I think you could use tempfile.mkstemp(prefix='pymux.crash-') which will create files named like /tmp/pymux.crash-vgjKCv

I'd be happy to write a patch.

[jonathanslenders]

Hi @chriskuehl, Thanks for pointing out this issue. That's important.

Both solutions look good to me. I'm not sure what the most common is. If you write a patch, I'd be happy to merge it. Thank you.