Skip to content

Insecure /tmp usage with static path (use mktemp instead or not shared /tmp) #12

Open
Open
Insecure /tmp usage with static path (use mktemp instead or not shared /tmp)#12
@emanuelb

Description

@emanuelb
emanuelb
opened on Apr 6, 2021

Files / Folders are used in /tmp with static/predictable names, which is bad practice and in general as it's vulnerable to malicious usage from other users on the system (it's worth to fix even if it's not problematic in the specific case as it's still bad code)
examples are: /tmp/bwt.tar.gz /tmp/bitcoin.tar.gz

eznode/bwt/install

Lines 12 to 18 in 392290b

# Install bwt
distname=bwt-$BWT_VERSION-$BWT_ARCH
wget -qO /tmp/bwt.tar.gz https://github.com/bwt-dev/bwt/releases/download/v$BWT_VERSION/$distname.tar.gz
echo "$BWT_SHA256 /tmp/bwt.tar.gz" | sha256sum -c -
tar xzf /tmp/bwt.tar.gz -C /tmp
mv /tmp/$distname/bwt /usr/local/bin

eznode/bitcoind/install

Lines 4 to 8 in 392290b

wget -qO /tmp/bitcoin.tar.gz https://bitcoincore.org/bin/bitcoin-core-$BITCOIND_VERSION/bitcoin-$BITCOIND_VERSION-$BITCOIND_ARCH.tar.gz --show-progress --progress=bar:force
echo "$BITCOIND_SHA256 /tmp/bitcoin.tar.gz" | sha256sum -c -
tar xzf /tmp/bitcoin.tar.gz -C /tmp
mv /tmp/bitcoin-$BITCOIND_VERSION/bin/bitcoin{d,-cli} /usr/local/bin/

Using mktemp to generate the tmp file is better, also creating a temporary directory with mktemp -d and working with static names in it is ok (or creating temp dir for each usage by mktemp -d --suffix='-some-related-suffix'), also not using shared /tmp/ but another location like /home/user/tmp/ is also a fix.
There more /tmp/ usage instances in this codebase which should be fixed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions