tempfile.mktemp() and symlink attacks

Yannick Gingras ygingras at eclipsys.qc.ca
Fri Nov 29 17:28:10 EST 2002 

Robin Munn wrote:

>>>Is using tempfile.mktemp() vulnerable to symlink attacks?  The reason I
>>>ask is that the documentation for os.tempnam() and os.tmpnam() has
>>>warnings about symlink attacks, but the documentation for
>>>tempfile.mktemp() does
>>>not.  Also, running os.tempnam() and os.tmpnam() actually brings a
>>>RuntimeWarning, while I tried comparing the implementations, but couldn't
>>>find the source for os.tempnam() and os.tmpnam() in os.py (I'm using
>>>version 2.2.1).

I was about to post to report the vulnerability.

tempfile.mktemp() is REALLY vulnerable to symlink attacks.  
The default behaviour of tempfile.mktemp() is to return 
something close to 
"%s" % ( os.path.join( os.environ['TEMPDIR'],
         "@%d.%d" % (os.getpid(), num_mktemp_call) ) )
hummm... not as readable as I expected.  Supose a process with 
pid 2344 with the environement variable TEMPDIR set to /tmp 
call tempfile.mktemp() 3 time, it will receive :
/tmp/@2344.0
/tmp/@2344.1
/tmp/@2344.2
the file names are easy to guess and I don't know a way to
make file() fail if the file already exists.  
tempfile.mktemp() will not return a filename already present
on the system but by the time you open it, a symlink may have
been set.

There is an optional argument to tempfile.mktemp() that can
help you make the filename harder to guess but you still
can't tell if the file have been created by the time you open
it.

ex. : 
rnd = Random(time.time())
filename = tempfile.mktemp("%d%d%d" % ( rnd.randrange(100000),
                                        rnd.randrange(100000),
                                        rnd.randrange(100000) ))
In this form, the filename will be appended a large number of 
random digits.  But still, the attacker may understand the 
pattern and do an infinit number of retry until he guess the 
right filename ans you have (as far as I know) no way to 
detect if file() create the file or if it open an existing 
file.

-- 
Yannick Gingras
Coder for OBB : Oratorical Boyish Bozeman
http://OpenBeatBox.org

More information about the Python-list mailing list