Closed jelly closed 5 years ago
👎 from me as:
Checksec is a bash script to check the properties of executables
I would not call hardcoding /tmp path in executable as a "property".
Also, if the binary uses some kind of library function to create temporary file which then uses /tmp, this won't be detected for a given executable. You would have to follow libraries and keep track of functions that does it to do so.
I am not saying that such check is irrational - this is indeed good to audit such occurrences. My point is that checksec
is not the intended tool to do this job.
This should be done by other static analysis tools like (maybe, not sure if it does so) cppcheck or even maybe QL-based static analysers like Semmle's LGTM (so that you would be able to automatically ensure e.g. permissions of files created in temp paths or see what happens to those paths faster).
Totally valid points, since one of the examples actually is a static linter (Python's bandit)
agree with disconnect3d. Going to close this one
Issue
Some programs hardcode the /tmp/ path for creating temporary files which if predictable allows local attackers to overwrite arbitrary files as in CVE-2018-7441. checksec.py had a check for these cases inspired by find-elf4tmp. checksec should be able detect the usage of insecure /tmp/ and report this. Bandit a Python security scanner also has a check for these issues.
Command run to produce the error
checksec --file=/usr/bin/leptonica