Skip Menu |
 

This queue is for tickets about the Message-Passing-ZeroMQ CPAN distribution.

Report information
The Basics
Id: 89043
Status: new
Priority: 0/
Queue: Message-Passing-ZeroMQ

People
Owner: Nobody in particular
Requestors: dr [...] jones.dk
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: predictable files in /tmp
Date: Mon, 30 Sep 2013 11:14:32 +0200
To: bug-message-passing-zeromq [...] rt.cpan.org
From: Jonas Smedegaard <dr [...] jones.dk>
Hi, I noticed your recent fix for ØMQ bug#140 changing to /tmp if ZMQ_SWAP is enabled. That makes me worry: does that mean ØMQ creates predictable files in a shared writable directory? If so, I'd say that's a bug: It is common practice to chdir to root dir before starting daemons - AFAIUI not only to ensure the path does not disappear while daemon is running, but also to ensure CWD is not writable - exactly to avoid surprise security weaknesses like this. Unless ØMQ only does a silly check for writability (i.e. does not actually write any files to CWD), I suggest to _not_ do a chdir, but instead do a check for write access on our own and fail with a human understandable error if not - hinting about the need for CWD to be writable (and recommending to use a _private_ writable dir if the system has any untrusted users. Regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Download signature.asc
application/pgp-signature 490b

Message body not shown because it is not plain text.



This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.