[collectd] insecure tmpfile creation in collection.cgi
Michael Shigorin
mike at osdn.org.ua
Sun Sep 30 21:39:59 CEST 2007
Hello Florian and folks,
I've almost accidentally[1] stumbled upon insecure temporary file
handling issue with contrib/collection.cgi which is actual at
least for 3.11.7:
1788 if (1)
1789 {
1790 my $fh;
1791 open ($fh, ">/tmp/collection.log") or die ("open: $!");
1792 flock ($fh, LOCK_EX) or die ("flock: $!");
1793
1794 print $fh join ("\n\t", @cmd) . "\n";
1795
1796 close ($fh);
1797 }
In ALT Linux package, I've banded that with a private directory
accessible only to apache user (which is still a crude hack);
probably something better could be crafted utilizing
/var/lib/collectd/cgi (1777 or so since CGIs might run under
different users) and something like mkstemp(3) to ensure unique
non-predictable filenames.
I can ask our perl devs but currently decided to do at least
something and notify upstream before getting some sleep. :)
PS: I'd like to have a look at 4.1.x and gather some thoughts
but from a quick peek at 4.0.x it's like technically it got
better but usability suffers severely compared to 3.x -- one
of selling points for me was exactly multi-value graphs.
That was a really quick check without much (but with some)
reading of docs and ML archives, not worth much attention
at all, but then again maybe worth some.
[1] an ACL for /tmp forbidding writes by apache user
--
---- WBR, Michael Shigorin <mike at altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
---- Oct 26--27, Kiev, Ukraine:
-- http://conference.osdn.org.ua
More information about the collectd
mailing list