The default sandbox dir is /tmp/sandbox-%d (with getpid). This is very predictable. Then, the return value of mkdir(opt_root, 0755); is not checked. This means a different system user could pre-create the sandbox dir and inject files into it.
Checking the return value of mkdir (and aborting on EEXIST) would fix this. I'm also not sure 0755 is the best default.
tsgates
commented
10 years ago
The default sandbox dir is
/tmp/sandbox-%d(with getpid). This is very predictable. Then, the return value ofmkdir(opt_root, 0755);is not checked. This means a different system user could pre-create the sandbox dir and inject files into it.Checking the return value of mkdir (and aborting on EEXIST) would fix this. I'm also not sure 0755 is the best default.