Date: Fri, 20 Feb 1998 20:10:53 -0700 From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG> Subject: Re: Pipe attacks To: BUGTRAQ@NETSPACE.ORG I have made comments before that to the effect that "symbolic links in /tmp are not the only things that are troublesome". Now people think fifos are a problem, and likely people will come up with hacks so that fifos now have a new semantic in /tmp. That's an incorrect workaround or fix. Anything which is created non-atomically has problems. Not just with symbolic links, not just with fifos. Think regular files. In many of these scenarios it is quite possible for the attacker to guess what the filename will be beforehands. gcc is an example, mail is another. The attacker simply must create the temporary file before the victim program does. Now the attacker owns the victim's temporary file. I bet someone could write an exploit which modifies the compiler's intermediate files and inserts trojan code automatically. Yes, it's a race. (I would suggest cpp files since they contain much blank space which can be compacted to make room for trojan code). The attacker owns the file because he created it before the victim did, and the victim did not use an atomic file creation. Code like this should be modified to create files atomically and safely. I'm sorry, but there just isn't a way around the problem.