Asp Forum - Question on os.tempnam() vulnerability

cameronwong88@gmail.com

1/4/2008 7:56:00 PM

Hello,

Does any one know what kind of security risk these message are
suggesting?

>>> f = os.tempnam()
__main__:1: RuntimeWarning: tempnam is a potential security risk to
your program
>>> f
'/tmp/filed4cJNX'

>>> g = os.tmpnam()
__main__:1: RuntimeWarning: tmpnam is a potential security risk to
your program
>>> g
'/tmp/fileENAuNw'

Thanks,
~cw

10 Answers

Fredrik Lundh

1/4/2008 8:10:00 PM

cameronwong88@gmail.com wrote:

> Does any one know what kind of security risk these message are
> suggesting?
>
>>>> f = os.tempnam()
> __main__:1: RuntimeWarning: tempnam is a potential security risk to
> your program
>>>> f
> '/tmp/filed4cJNX'
>
>>>> g = os.tmpnam()
> __main__:1: RuntimeWarning: tmpnam is a potential security risk to
> your program
>>>> g
> '/tmp/fileENAuNw'

you get a name instead of a file, so someone else can create that file
after you've called tempnam/tmpnam, but before you've actually gotten
around to create the file yourself. which means that anyone on the
machine might be able to mess with your application's data.

use the functions marked as "safe" in the tempfile module instead.

</F>

Grant Edwards

1/4/2008 9:08:00 PM

On 2008-01-04, Fredrik Lundh <fredrik@pythonware.com> wrote:

> you get a name instead of a file, so someone else can create that file
> after you've called tempnam/tmpnam, but before you've actually gotten
> around to create the file yourself. which means that anyone on the
> machine might be able to mess with your application's data.
>
> use the functions marked as "safe" in the tempfile module instead.

Under Windows, is there a "safe" way to create a temp file that
has a name that can be passed to a program which will then open
it? I never figured out a way to do that and had to fall back
on the "unsafe" tmpnam method.

--
Grant Edwards grante Yow! I have seen these EGG
at EXTENDERS in my Supermarket
visi.com ... I have read the
INSTRUCTIONS ...

cameronwong88@gmail.com

1/5/2008 12:53:00 AM

On Jan 4, 12:09 pm, Fredrik Lundh <fred...@pythonware.com> wrote:
> cameronwon...@gmail.com wrote:
> > Does any one know what kind of security risk these message are
> > suggesting?
>
> >>>> f = os.tempnam()
> > __main__:1: RuntimeWarning: tempnam is a potential security risk to
> > your program
> >>>> f
> > '/tmp/filed4cJNX'
>
> >>>> g = os.tmpnam()
> > __main__:1: RuntimeWarning: tmpnam is a potential security risk to
> > your program
> >>>> g
> > '/tmp/fileENAuNw'
>
> you get a name instead of a file, so someone else can create that file
> after you've called tempnam/tmpnam, but before you've actually gotten
> around to create the file yourself. which means that anyone on the
> machine might be able to mess with your application's data.
>
> use the functions marked as "safe" in the tempfile module instead.
>
> </F>

Thanks Fredrik, for the clear explanation!!!

~cw

Jarek Zgoda

1/5/2008 11:42:00 AM

Grant Edwards pisze:

>> you get a name instead of a file, so someone else can create that file
>> after you've called tempnam/tmpnam, but before you've actually gotten
>> around to create the file yourself. which means that anyone on the
>> machine might be able to mess with your application's data.
>>
>> use the functions marked as "safe" in the tempfile module instead.
>
> Under Windows, is there a "safe" way to create a temp file that
> has a name that can be passed to a program which will then open
> it? I never figured out a way to do that and had to fall back
> on the "unsafe" tmpnam method.

I think it's all impossible to get only file name and feel safe. You
have to have both file name and a file object opened exclusively for
you. Any other way you'll get a possible race condition.

--
Jarek Zgoda
http://zgo...

Grant Edwards

1/5/2008 2:40:00 PM

On 2008-01-05, Jarek Zgoda <jzgoda@o2.usun.pl> wrote:

>> Under Windows, is there a "safe" way to create a temp file
>> that has a name that can be passed to a program which will
>> then open it? I never figured out a way to do that and had to
>> fall back on the "unsafe" tmpnam method.
>
> I think it's all impossible to get only file name and feel
> safe. You have to have both file name and a file object opened
> exclusively for you. Any other way you'll get a possible race
> condition.

I know. That's the point of my question: how do you do that
under Windows?

--
Grant Edwards grante Yow! HAIR TONICS, please!!
at
visi.com

Martin v. Loewis

1/5/2008 4:01:00 PM

> I know. That's the point of my question: how do you do that
> under Windows?

When you create a new process, you have the option to inherit
file handles to the new process. So the parent should open the
file, and then inherit the handle to the new process.

The new process will need to know what the file handle it should
use. There are two basic options:
a) pass the file handle number as a string on the command line
b) make the handle either stdin or stdout of the new process,
and have the new process ask for its stdin/stdout handle.

IOW, it's the same approach as on Unix.

Regards,
Martin

Grant Edwards

1/5/2008 4:13:00 PM

On 2008-01-05, Martin v. Löwis <martin@v.loewis.de> wrote:

>> I know. That's the point of my question: how do you do that
>> under Windows?
>
> When you create a new process, you have the option to inherit
> file handles to the new process. So the parent should open the
> file, and then inherit the handle to the new process.

That's an answer, though not for the question I asked. The
program that's being run requires a that it be passed a
filename on the command-line.

I'm not writing the program that is to open the file. If I
were, I'd just make it a python module and call it instead of
running it in a separate process.

> IOW, it's the same approach as on Unix.

Not really. Under Unix you can safely create a temp file with
a name that can be used to open the file. I asked about a way
to do that under Windows as well.

--
Grant Edwards grante Yow! ... I live in a
at FUR-LINE FALLOUT SHELTER
visi.com

Martin v. Loewis

1/5/2008 5:05:00 PM

> That's an answer, though not for the question I asked.

I think you'll have to pose a complete question again,
rather than "how do I do that", if you want to get an
answer to your question.

> Not really. Under Unix you can safely create a temp file with
> a name that can be used to open the file. I asked about a way
> to do that under Windows as well.

Assuming you are still talking about

" is there a "safe" way to create a temp file that
has a name that can be passed to a program which will then open
it?"

then also on Unix, the answer is: no, that's not possible.
I assume you are asking about a scenario such as:
a) the parent process creates a file
b) the parent process closes its handle to the file
c) the parent process creates a child process passing
the file name
d) the child process opens the file, and is certain that it
is still the same file

then this sequence cannot be implemented on Unix, either - another
process may remove the file and create a new one between b and d.

Regards,
Martin

Fredrik Lundh

1/5/2008 5:08:00 PM

Grant Edwards wrote:

>> IOW, it's the same approach as on Unix.
>
> Not really. Under Unix you can safely create a temp file with
> a name that can be used to open the file.

Unless I'm missing something, it's not possible to do this in a safe
way in the shared temp directory; you can do that only by creating a
file in a directory that's under full control of your user.

And *that* approach works on Windows as well, of course.

</F>

Grant Edwards

1/5/2008 5:29:00 PM

On 2008-01-05, Fredrik Lundh <fredrik@pythonware.com> wrote:
> Grant Edwards wrote:
>
>>> IOW, it's the same approach as on Unix.
>>
>> Not really. Under Unix you can safely create a temp file with
>> a name that can be used to open the file.
>
> Unless I'm missing something, it's not possible to do this in a safe
> way in the shared temp directory; you can do that only by creating a
> file in a directory that's under full control of your user.

Which is what I do.

> And *that* approach works on Windows as well, of course.

I was asking how to create a named temporary file under Windows
without a race condition. I've re-read the tempfile module
documentation a couple more times, and it finally dawned on me
that I'd been misreading the following statement about
tempfiles created by NamedTemporaryFile/mkstemp:

"Whether the name can be used to open the file a second time,
while the named temporary file is still open, varies across
platforms (it can be so used on Unix; it cannot on Windows NT
or later)."

I don't know how many times I've read that and missed the
phrase "while the named temporary file is still open". I had
always read that as saying that the tempfile couldn't be opened
a second time under Windows. I know, that would make the
availability of the path/name a moot point, but so many things
under Windows don't make sense to me that I just let it slide.

As Emily Litella used to say:

"Oh. That's very different. Never mind."

--
Grant Edwards grante Yow! It's hard being
at an ARTIST!!
visi.com

comp.lang.python

Question on os.tempnam() vulnerability

cameronwong88@gmail.com

Fredrik Lundh

Grant Edwards

cameronwong88@gmail.com

Jarek Zgoda

Grant Edwards

Martin v. Loewis

Grant Edwards

Martin v. Loewis

Fredrik Lundh

Grant Edwards

x Login to ForumsZone